Post AWMwNXYCs72ntPEObg by nsa@hachyderm.io
 (DIR) More posts by nsa@hachyderm.io
 (DIR) Post #AWMwNRMzqsVoitwMIi by nsa@hachyderm.io
       2023-06-04T15:00:14Z
       
       0 likes, 1 repeats
       
       Implementing #passkeys?A few pitfalls I've seen recently:* Not setting `residentKey` to `required`.   This tells the authenticator credentials must be discoverable with empty allow lists on assertions.The default is `discouraged` which is not what you want for passkeys. iphones don't support non rk credentials so it makes no difference for them, but Android phones will create a non rk credential which will be created but won't show up on a passkey authentication (!!!).
       
 (DIR) Post #AWMwNUchkvrMoUJRhY by nsa@hachyderm.io
       2023-06-04T15:04:18Z
       
       0 likes, 0 repeats
       
       * Attempting to make a platform credential without checking `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` first. Please, call this method before showing the user any hero dialog telling them to upgrade to a local passkey. Otherwise the user will see a modal dialog error saying that their device doesn't support the required authenticator.Most devices have one such authenticator but a lot don't: Windows without Hello set up and Linux boxes are examples.
       
 (DIR) Post #AWMwNXYCs72ntPEObg by nsa@hachyderm.io
       2023-06-04T15:06:22Z
       
       0 likes, 0 repeats
       
       Did you know you can simulate all these conditions with the chrome #devtools webauthn panel? It's pretty nifty to debug webauthn on chrome desktop.https://developer.chrome.com/docs/devtools/webauthn/