- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Wed, 26 Oct 2022 23:19:49 +0000
- To: public-webauthn@w3.org
And when tim says "passkeys" they mean "credentials that were platform bound and opportunistically created resident/discoverable keys" or "FIDO2 devices where rk=true was requested at registration". The trick here is *most* platform authenticators will create a resident/discoverable key even if the registration requests rk=false. That allows you to mostly discover them. However with fido2 devices (such as yubikeys) you can't rely on this because they will not create rk unless you create it. You also *should not* request rk=true outside of some circumstances with these devices because they have finite storage, some keys as low as 8 rks are available. This means "if everyone set rk=true, some users will only be able to login to 8 websites maximum". So remember, you can use conditional UI to *opportunistically* find out if the user has an rk, but you still need to account for cases where they do not, and they need to enter a username and proceed that way. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1292766265 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 October 2022 23:19:51 UTC