Re: [w3ctag/design-reviews] Incubation: Email Verification Protocol (Issue #1169) from Dick Hardt on 2025-12-17 (public-webapps-github@w3.org from December 2025)

From: Dick Hardt <notifications@github.com>
Date: Wed, 17 Dec 2025 02:28:00 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1169/3664692165@github.com>

dickhardt left a comment (w3ctag/design-reviews#1169)

> A thought occurs: will sites want to use this in place of passkeys for login?

I would suspect so for simpler sites. Passkeys have many sharp edges -- and sites want a memorable identifier -- which passkeys don't provide today. 

A WebAuthN interaction between the browser and the issuer as part of EVP I think provides a fantastic step up for simpler sites. The issuer knows the credentials it supports for the email address provided -- and the site gets a verified email and the security of passkeys without having to directly support passkeys. 

A browser integrated with an issuer can do the same thing to provide a directed email address to the site and use a passkey for authenticating the user transparent to the site as Sam mentions above. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1169#issuecomment-3664692165
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1169/3664692165@github.com>

Received on Wednesday, 17 December 2025 10:28:04 UTC