[webauthn] Should we keep the word “passkey” in the spec or not (#1939) from Kosuke Koiwai via GitHub on 2023-08-08 (public-webauthn@w3.org from August 2023)

From: Kosuke Koiwai via GitHub <sysbot+gh@w3.org>
Date: Tue, 08 Aug 2023 00:13:38 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1840367276-1691453616-sysbot+gh@w3.org>

ko-koiwai has just created a new issue for https://github.com/w3c/webauthn:

== Should we keep the word “passkey” in the spec or not ==
## Background
The word “passkey” was added in PR#1901. In this PR, a passkey is defined as a synonym of a discoverable credential.
The reason behind this addition was to “_add a specific definition in the context of the specification, that can be referenced throughout the specification whenever the term is use_” as per https://github.com/w3c/webauthn/pull/1901#issuecomment-1583712599
and to attempt “_to codify the meaning of a passkey in the context of WebAuthn_” as per https://github.com/w3c/webauthn/pull/1901#issuecomment-1583661176

## Issue
However, there were discussions around the definition of passkeys, some of them were:
https://github.com/w3c/webauthn/pull/1901#issuecomment-1583625312

> “despite what the standards authors may desire, there are at least 4 different definitions of what a passkey is in use by vendors.
>  - Any possible webauthn credentials (cite https://freeipa.readthedocs.io/en/latest/designs/passkeys.html )
>  - A synchronised/roaming credentials (cite https://support.okta.com/help/s/article/Passkey-Management?language=en_US )
>  - A credential that has BE/BS=true - I can’t find an obvious cite for this, android could fall into this category though in a way.
>  - And the passkeys are resident keys as I’m sure you’re aware of.”

and as I pointed out in https://github.com/w3c/webauthn/pull/1901#issuecomment-1593887184,
Even within FIDO Alliance, some passkey definitions are inconsistently described:
- "_A passkey is a discoverable FIDO credential_" in FIDO (external) official FAQ at https://fidoalliance.org/passkeys/#faq
- "_Any passworldess FIDO credential is a passkey_" of the Passkey Messaging Guide, which is available in the top page of FIDO Alliance members site.

## Possible options suggested:

- Leave the spec as it is (keep the passkey definition as a discoverable credential), and aline the passkey definition within FIDO Alliance, or
- Leave the spec as it is, and accept the difference between two standard organizations that jointly create FIDO2 specs, or
- Remove the reference to the word "passkey" from the spec.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1939 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 8 August 2023 00:13:40 UTC