- From: Darien Maillet Valentine via GitHub <sysbot+gh@w3.org>
- Date: Thu, 24 Mar 2022 04:15:00 +0000
- To: public-webauthn@w3.org
> Generally, discoverable keys have so many sharp edges that for users it will likely present a confusing and risky workflow. IMO discoverable keys are there so that certain large mega corps with strictly controlled devices, who have this tooling and such, can do their own thing, but there is a definite lack of attention to rk's for consumers. Funny enough I always figured the only reason _non-discoverable/non-resident_ keys were in the picture was to account from “certain large mega corps” and maybe a handful of tech utopians so this statement seems pretty surprising! I work on a (decidedly) non-megacorp app with a userbase where few if any people have heard of yubikeys. If the browser pops an “insert your space dongle” modal they get worried they have a virus. It’s difficult enough to provide a solid user experience with webauthn without this in the mix and an inscrutable roadblock being placed in front of our real users for the sake of a hypothetical user who’s not there is a non-starter. This is not a judgment about yubikey and co, it’s just our reality. I don’t claim to understand the whole picture here or even a sizable fraction of it, but hope sharing this POV could help the API designers understand why webauthn has become a discoverable-platform-credentials-or-nothing thing for developers who need to serve demographics that aren’t inside the tech bubble. -- GitHub Notification of comment by bathos Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1565#issuecomment-1077050384 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 24 March 2022 04:15:01 UTC