The backend currently has responsibility for requesting the authenticator interfaces/sources (USB, hybrid, NFC). This was initially done to allow the backend to have full control over the timing of the request, and which transports would be made available. I don't think this is very useful, and it complicates the interaction between the backend and frontend.
Starting the discovery on the frontend, and then notifying the backend when a particular authenticator is selected by the user means that we can get a more consistent experience between desktops (e.g., the user can always skip straight from the hybrid QR code to using a security key by selecting USB). I don't know if that's desirable, but I think the simplicity tradeoff is worth it.
Some downsides:
- the backend is not in control of when the discovery starts, so the user cannot be notified before sending the request to the authenticators. Desktop environments may want more control, for example, showing a welcome screen, or not allowing certain interfaces (for a variety of reasons, privacy, security, power management, or just preference).
We'll have to get feedback from desktop environments to decide, but we need a working implementation first. I think we should do the simpler approach first, which would be to have the frontend manage discovery.
The backend currently has responsibility for requesting the authenticator interfaces/sources (USB, hybrid, NFC). This was initially done to allow the backend to have full control over the timing of the request, and which transports would be made available. I don't think this is very useful, and it complicates the interaction between the backend and frontend.
Starting the discovery on the frontend, and then notifying the backend when a particular authenticator is selected by the user means that we can get a more consistent experience between desktops (e.g., the user can always skip straight from the hybrid QR code to using a security key by selecting USB). I don't know if that's desirable, but I think the simplicity tradeoff is worth it.
Some downsides:
We'll have to get feedback from desktop environments to decide, but we need a working implementation first. I think we should do the simpler approach first, which would be to have the frontend manage discovery.