- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Wed, 23 Mar 2022 21:59:57 +0000
- To: public-webauthn@w3.org
@lgarron you can't mix discoverable and non discoverable credentials in most work flows. Additionally, most credentials have no way to inspect what discoverable (resident keys) exist and have no method to manage them. For example, I have a yubikey, and there is no tool to list what rk's exist on it, nor any docs that I can find about what happens if I fill that storage. Similar apple will silently replace your discoverable keys in the background if you re-register them on the same domain (even with a different username), meaning you can only have one key per site (so you can't multi-account from a single device). Generally, discoverable keys have so many sharp edges that for users it will likely present a confusing and risky workflow. IMO discoverable keys are there so that certain large mega corps with strictly controlled devices, who have this tooling and such, can do their own thing, but there is a definite lack of attention to rk's for consumers. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1565#issuecomment-1076861515 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 23 March 2022 21:59:58 UTC