W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Personal information updates & webauthn (#1456)

From: Darien Maillet Valentine via GitHub <sysbot+gh@w3.org>
Date: Sat, 03 Jul 2021 06:03:20 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-873352998-1625292199-sysbot+gh@w3.org>
@dwaite Thanks for the excellent explanation of what “updating” non-discoverable creds would have to account for. Also the clarification in the last two paragraphs about what’s possible today (especially re: what UX strategies are realistic) is very helpful.

> [...] confirmed by the user via client UX to prevent abuse scenarios

I’m curious to understand what these scenarios might look like. Since other Credential types permit updating the user/account display fields today without mediation, is there something unique about PublicKeyCredential which changes the equation?


(Not directly related, but:) It’s starting to look like I’ll be returning from my journey through WebAuthnLand with nothing to show for it apart from some new knowledge. The showstopper was learning (rather late...) that if you use `get()` to “discover” a discoverable credential, then if there are none, the agent surfaces a prompt anyway: “Plug in your USB device”. This would bewilder the majority of our users and would seem like a bug — or even something malicious — for those who haven’t yet created an account. I had been under the impression that passwordless auth was already possible with WebAuthn, but afaict it’s still a bit out of reach.

GitHub Notification of comment by bathos
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1456#issuecomment-873352998 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 3 July 2021 06:03:23 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC