Re: [webauthn] residentKey: "preferred-if-unlimited"? (#1822)

At the time discoverable was seen as a requirement for passwordless.

Storing credential ID in cookies create cross browser flow issues and increases the number of times the user needs to register.   Returning credentialID without a password is a potential privacy issue in that it allows attackers to probe for what accounts are valid.

Yes the lack of discoverable on Android has caused people to come up with creative solutions to do passwordless other ways.

However, I think the feeling at the time of L2 was to use preferred to start moving people to the better discoverable experience.

As I noted, that didn't really work.  RP diden't really show any interest in discoverable until Apple and Android promised to support it in the form of passkey.  

We do still need preferred for RP that want to continue to be backwards compatible, and there I think a small tweak to the definition may be all that is needed to prolong the utility of the devices people have already purchased.  Though for other devices like phones I suspect not many of us are still using 2017 models:)


-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1822#issuecomment-1310213961 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 10 November 2022 12:31:30 UTC