Bug 219157

Summary: [WebAuthn] Current WebAuthn popup dialog text restricts use to sign-in use cases
Product: WebKit Reporter: at.brand
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: jiewen_tan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: iPhone / iPad   
OS: Other   
See Also: https://bugs.webkit.org/show_bug.cgi?id=181943

Description at.brand 2020-11-19 06:10:32 PST
While the current text shown by Safari during a WebAuthn assertion [navigator.get()] makes sense in the context of a sign-in, it inhibits using the feature for other use cases such as payment authorization or step-up authentication. When invoking WebAuthn during these use cases, the current text displayed on the dialog presented by the browser leads to confusion ("Do you want to sign-in to example.com using user@example.com").

Other browsers are using text that is somewhat more generic, enabling such use-cases:

* "Use your security key with example.com"
* "example.com wants to authenticate you using a registered security key"
* "For security, ~application~ needs to verify your identity"

Would it be possible to consider displaying a message that is slightly more generic during the navigator.get() operation, enabling additional WebAuthn use cases other than sign-in?
Comment 1 Radar WebKit Bug Importer 2020-11-26 06:11:15 PST
<rdar://problem/71749854>