Re: [webauthn] Personal information updates & webauthn (#1456)

@bathos some of inconsistencies are from the transactional nature of the commands and that there is no guarantee that the 'visible' set of authenticators/keys will be there in-between calls.

For example, attempting to update the username associated with a credential or delete a credential might involve a NFC key which the user does not have with them at the moment, or even that they may be on a machine without NFC capabilities.

The UX impact of this is brought forth even more due to non-discoverable credentials not existing in an enumerable fashion outside a list of supplied credential handles, and that allowing RP enumeration of the list of available discoverable and non-discoverable credentials is a privacy risk in general.

My expectation personally is that we see WebAuthn evolve to indicate broader actions, and to have the client (browser/platform) taking on more responsibility to mediate RP requests - the client has persistent state across all RPs and hardware/platform access to communicate with authenticators.

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1456#issuecomment-872733241 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 2 July 2021 05:44:35 UTC