- From: Tim Cappalli <Tim.Cappalli@microsoft.com>
- Date: Tue, 11 Jul 2023 15:17:41 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- CC: Christiaan Brand <cbrand@google.com>
- Message-ID: <BL3PR00MB1404374BD77D9D67850F25D59531A@BL3PR00MB1404.namprd00.prod.outlook.com>
Hi all! In collaboration with Google and other members of the FIDO Alliance, we'd like to propose a new WebAppSec work item to help support passkeys adoption. As passkeys support continues to increase across the web, passkey providers (traditionally called password managers) and clients (OS, app platforms, browsers) would like to provide "upgrade-like" experiences for users when services they've been using passwords with, add support for passkeys. For example, a passkey provider may want to show an icon next to an entry in the list of credentials showing that they can update their account with a passkey. Or an operating system may want to show a toast to a user after a password is autofilled into an app. Relying parties can opt into these experiences by hosting a static document at the specified well-known endpoint. Passkey providers and clients can optionally use this metadata to drive users directly to passkey enrollment flows. Another primary use case is passkeys management. Today, clicking on a link to a site in a password manager takes the users to a login screen. This well-known endpoint provides the ability to specify a specific URL for passkey management allowing the passkey provider to push the user directly to the account settings page where passkeys can be managed (delete, rename, see last used, etc.) This proposal was inspired by the Change Password well-known URL from Apple. Explainer: https://github.com/ms-id-standards/MSIdentityStandardsExplainers/blob/main/PasskeyEndpointsWellKnownUrl/explainer.md Looking forward to the discussion! Tim Cappalli Microsoft Identity Standards
Received on Tuesday, 11 July 2023 15:17:50 UTC