Tri-Bank has 1 or more registered users from this device (My Windows Hello PC "Bad Boy").
There is no active session or ambient user to the RP (sub)domain. (Seeing local/session storage deprecated but all cookies also expired)
I simply cannot see a usernameless login interaction possibility
I will investigate that UPVA is deterministic on multi-user device but the spec is not only non-canonical, it seems to be off in fairy land :-(
Authentication WebAuthn-3 and Authentication WebAuthn-2
Please expand on point .2
The script asks the client for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.
Which spec can we refer to (CTAP-10?) that will enlighten us to what is returned to a GET call with an empty "allowCredentials"?
How can the RP refine the user selection granularirty without a .GET that either identifies a single user or returns new Error("non-deterministic");
Does no one else see this as pivitol?
If we always have to ask for username please just say "We always have to identify username first!"
Otherwise could the user be prompted for we have Ringo, and Paul registered; which one do you want :-(
And yes, I know Paul can't login to Ringo's account without hist thumb. I'm alluding to the unacceptable disclosure of Ringo's financial activity to Paul. Probably not a big deal undelss it was John :-)