Add support for WebAuthn's conditional create #582
Comments
|
Hey @MasterKale, a few months ago, I was trying to implement the conditional UI flow with the browser package, but I wasn't able to get it working properly without eventual fails. https://simplewebauthn.dev/docs/packages/browser#browser-autofill-aka-conditional-ui As you described here, we should add the |
|
Would it be possible to create a new passkey on login with an existing passkey, with Conditional Create, as well? |
Good question @lmarschall, let me ask around and see what the consensus is.
Hmm, conditional create in the L3 draft says this...
Which means the answer is "maybe, but it's up to the browser" 🤔 |
|
@MasterKale |
|
I'm gearing up to tackle this Soon™ and realized that I need to consider how to allow the user presence bit to be false. Conditional create makes this a first for WebAuthn; it's otherwise required to be |
|
I need to add a new option to Potential candidates include:
I'm open to suggestions. |
|
Maybe |
|
I went with |
|
@lmarschall Check out the new @simplewebauthn/[email protected] - Just a heads up, the API of |
|
EDIT: nevermind, I realized it requires Apple passwords and enabling "Allow automatic passkey upgrades", so it's an apple only thing, wasn't clear from the changelog @MasterKale Hi, sorry for the noob question, I wanted to try this new functionality even tho it's not documented yet, but adding useAutoRegister to startRegistration doesn't seem to do anything on chrome browser v130 on both windows 11 and android, am i missing something? Maybe this is expected to work only on Safari 18? This is how I added it, but it works just the same as if I just passed options alone, so the UI to create passkeys is being displayed. attestationResponse = await SimpleWebAuthnBrowser.startRegistration({ optionsJSON: options, useAutoRegister: true }); |
|
@MasterKale Thank you for the advancements in this project, definitely going to take a look at the new functions this week 👍 |
@swagliquido Support for conditional create must exist in the passkey provider and the operating system (and/or browser depending on what's talking to the passkey provider.) Right now Apple's operating system and iCloud Keychain are the first combination of that I know of to have pretty reliable support for this. Microsoft and Google will gradually implement support in Windows and Android respectively, and it's likely Chrome will be able to broker some of this as well/in the meantime while the OSs get updated. |
Describe the issue
At WWDC 24 this week Apple debuted macOS Sequioa Dev Beta 1, which includes Safari 18.0 Beta. According to the WebKit blog, Safari 18.0 Beta supports "conditional create" added to WebAuthn L3. This is what Apple is referring to when it mentions "automatic passkey upgrades."
This new capability allows an RP to "silently" trigger a passkey registration after a successful traditional authentication (i.e. username+password auth) without the user needing to click through any browser modals. From that point on the RP could switch the user to passkeys at the next login.
Supporting this isn't much different than supporting conditional UI during auth; it's an otherwise normal call to
navigator.credentials.create()with some specific options passed in. I can easily add such a capability to @simplewebauthn/browser'sstartRegistration()method similar to how I added conditional UI support withstartAuthentication(..., true).Additional Resources
Safari flow chart for when an RP can trigger conditional create:
The text was updated successfully, but these errors were encountered: