Privacy concern with preferImmediatelyAvailableCredentials

As per the WebAuthN spec for Privacy, the authenticator shouldn't disclose the availability of keys on the device(although as a trusted RP knowing this info will be greatly help optimizing UI for end user) https://w3c.github.io/webauthn/#sctn-assertion-privacy

But seems like I can guess the availability of keys by doing an assertion request with this option https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/requestoptions/3994648-preferimmediatelyavailablecreden

Although the error code is generic, based on timing information like if it returned immediately instead of opening the QR code fallback, I can guess the availability of a key.

Answered by Systems Engineer in 729043022

Excellent point! This is actually an area where all major browsers have already explicitly chosen to deviate from the spec in favor of usability, and our AuthenticationServices API follows suit. Per the spec, a browser should hold the error when a user cancels the sheet, and not actually deliver the error back to the site until the timeout expires. In practice, this creates a very poor user experience because the user could be sitting and staring at the site for 30 seconds or more after cancelling a WebAuthn operation before the site knows anything has happened. Within the WebAuthn Working Group, major browser vendors decided to either return errors immediately or with some small delay injected, in order to make the WebAuthn API more usable.

Accepted Answer

Excellent point! This is actually an area where all major browsers have already explicitly chosen to deviate from the spec in favor of usability, and our AuthenticationServices API follows suit. Per the spec, a browser should hold the error when a user cancels the sheet, and not actually deliver the error back to the site until the timeout expires. In practice, this creates a very poor user experience because the user could be sitting and staring at the site for 30 seconds or more after cancelling a WebAuthn operation before the site knows anything has happened. Within the WebAuthn Working Group, major browser vendors decided to either return errors immediately or with some small delay injected, in order to make the WebAuthn API more usable.

Thanks for clarification

Privacy concern with preferImmediatelyAvailableCredentials
 
 
Q