2

Is there a way to check before calling navigator.credentials.get if the credential exists on the platform authenticator? For example, if you specify that only platform authenticators can be used and not roaming authenticators, how do you know if the credential still exists on the platform authenticator? If the platform authenticator being used is your phone, then the credentials will be removed when you factory reset the device.

I'm familiar with the concept of resident keys vs non-resident keys and that resident keys are discoverable. I'm asking though for the non-resident keys use case. Is the only

Note: I already asked a similar question here, but what I'm asking here is different. I want to know how to check for the existence of the credential from the browser and not using the Android APIs like the other question.

adoyon23
  • 321
  • 1
  • 5
  • 16

1 Answers1

3

Unfortunately, it's the same answer as to your other question: There is no way to be 100% sure. Best possible solution as of today is storing the credential id in local storage (or a cookie) where it was created. That way, you can check if you should offer fingerprint login (aka. Platform Authenticator) option on that device, i.e., in that browser.

There's been some attempts in FIDO Alliance and W3C WebAuthn WG to change this, but so far it has not been done mainly due to privacy reasons.

FlxMgdnz
  • 384
  • 2
  • 7
  • Thanks for responding again. I just don't understand how storing the credential id locally helps much though. If it is stored in local app storage or a cookie, then it will be cleared on app uninstall. And if it is stored in external storage, it could be modified by the user or potentially other apps. Please correct me if I'm missing something. I've settled on always acting as if the credential exists on the device if I know the device is where the credential was created. The only case where this would fail is after the user has factory reset their device. – adoyon23 May 28 '21 at 02:05
  • You are absolutely right, the information is lost on app uninstall or when local storage is cleared by the user. This is why there is no way to be 100% sure. Unfortunately there is no better way as of today. – FlxMgdnz Jun 29 '21 at 16:59