Re: [webauthn] Why not email/username as user.id / user handle? (#1763) from Firstyear via GitHub on 2022-07-06 (public-webauthn@w3.org from July 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2022 07:06:46 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1175859156-1657091204-sysbot+gh@w3.org>

Because these become baked into the credential in a way that may never change, this can have impacts on individuals when they need to change their name (think divorce, leaving domestic violence). Additionally it may also have privacy disclosure impacts on individuals as well. 

The user id and handle ARE transmitted during authentication for discoverable credentials (usernameless flows). 

However the displayName field *can* be changed post credential creation which is why these can contain info that the client side can update, and this displayname is NOT tranmitted during auth. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1763#issuecomment-1175859156 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 6 July 2022 07:06:48 UTC