Supporting WebAuthn login without login param in webauthn_login feature

[janko]

After finding out that authenticating via WebAuthn with allowCredentials: [] is supported outside of autofill UI (aka "conditional mediation"), it seems to me that this functionality could be supported by the webauthn_login feature directly, instead of having to enable the webauthn_autofill feature for that.

One approach would be to make the login param optional by default, which would allow for a WebAuthn login button without the user first entering their email address (like the one GitHub recently implemented). This would allow any credential for this website to be selected. A downside of this approach is that the account_webauthn_keys.webauthn_id column is only guaranteed to be unique within an account (Rodauth doesn't recommend a unique constraint on the webauthn_id column), so this could theoretically allow users to login into other people's accounts if their credential ID happens to match another person's credential ID.

An alternative would be to add a configuration option that allows the login param to be optional – basically what you currently get by enabling the webauthn_autofill feature. This seems like a safer approach, though maybe not necessary. It could be named something like webauthn_login_requires_login?, which seems accurate albeit slightly repetitive.

Moreover, it seems to me that autofill UI doesn't have good enough browser support, e.g. Chrome that supported it before doesn't seem to be support it anymore 🤷🏻‍♂️ The only browser I know that currently supports it it Safari. In that case, I don't know if Rodauth should support this out of the box, it could be clearer if there was just the webauthn_login feature.

[jeremyevans]

Can you describe the problem with requiring the webauthn_autofill feature to get this behavior? Does it bring in too much overhead?

I don't like the idea that by default you can login without even knowing the account login/email. This makes it much easier to for attackers with temporary access to a computer with a valid WebAuthn credential to access accounts. Certainly if a user wants that configuration, I'm OK with Rodauth supporting it, I just don't think it is a good default.

I'm not necessarily opposed to a webauthn_login_requires_login? method, but if there isn't a significant problem with requiring webauthn_autofill, it may be better to stick with the status quo.

[janko]

Thanks for the input, that makes sense. No, there is no problem requiring the webauthn_autofill feature for this, it just felt strange to do so when I don't want to actually use the autofill UI. But I'm fine with keeping the status quo 👍🏻