- From: Adam Langley <agl@google.com>
- Date: Thu, 3 Nov 2022 14:21:14 -0700
- To: Ben Bangert via GitHub <sysbot+gh@w3.org>
- Cc: public-webauthn@w3.org
- Message-ID: <CAL9PXLwu+LypLutfO_wVtN0b_Ke=vom42H3j-gd5HURDTZ1SXw@mail.gmail.com>
On Thu, Nov 3, 2022 at 1:23 PM Ben Bangert via GitHub <sysbot+gh@w3.org>
wrote:
> @timcappalli Thanks, I think to rephrase this, I'm wondering whether the
> authenticator could or should provide an authenticator name the user is
> familiar with along with the credential so they will not be prompted for it
> every time they enroll a new authenticator on a service. Currently there's
> a raw ID the service gets, but it's not clear to me how the browser makes
> such an ID visible to a user such that they'd know which
> authenticator/device of theirs corresponds to that ID. If a user enrolled
> multiple authenticators, before deciding to name the credentials, how would
> the user figure out which credential id goes to what?
Given the topic of the thread, I'll assume that you're thinking mostly
about platform authenticators. We pondered whether such a value could be
provided but in a world where credentials are syncing between Android
devices, or between Apple devices, then the reasonable values either ended
up very vague (e.g. "Your Android devices") or impossibly identifying
("Passkey saved to bob@icloud.net").
Many services may wish not to enumerate the registered WebAuthn credentials
and simply have a button, like a password reset button, that triggers a new
registration then erases all other credentials and active sessions. For
many sites, I hope that would work fine.
If a site does desire to enumerate credentials then prompting the user for
a name at registration time is certainly something that some deployments
have done.
Cheers
AGL
Received on Thursday, 3 November 2022 21:21:44 UTC