- From: r-jo via GitHub <sysbot+gh@w3.org>
- Date: Fri, 18 Aug 2023 14:52:34 +0000
- To: public-webauthn@w3.org
Hi, of course there my be multiple accounts, I said it should not be the default thinking. The default should be one account and then the UX would be very nice and simple. In case the user creates more accounts, the user has to set appropriate labels in the pass manager. It is not possible to control the pass manager label from the server side. Thinking more about it my opinion became just stronger: the username fields should NOT exist. It should be a minimum to make them optional instead of required. The internal logic of webauthn is usernameless and it will be extremely confusingif this thing is not cleared. I would make them optional because deelting them is not backward compatible. Actually implemetors should be warned to handle absence of this fields. I know it is a mess, but it will be a bigger mess if you leave it as it is. For more details and the first website people struggling with this check out: https://stackoverflow.com/questions/76330306/user-name-and-displayname-change-for-existing-passkey/76663224#76663224 https://stackoverflow.com/questions/73562080/webauthn-how-to-get-rid-of-the-username-requirement/76920460#76920460 I provided answers too if somebody is interested. I do not have time for this anymore. But I am 100% convinced, more than when I created this thread some time ago that this is a crucial mess up. It is not just simply logiacally awful to force usernames in an otherwise usernameless logic but messes up people who try to implement passkeys in their web service. Simply put: you cannot and should not micromanage the pass manager labels from the server side. And in the webauthn logic, the 2 username fields are nothing more than labels. They can be changed by the user anytime in the pass manager without the "relying party" knowing about it. They are in the power of the user and the responibility of the user. Even accounts with usernames would learn in absence of username fields at least the true nature of passkey authentication. But if any, an optional note field would be much better instead of 2 username fields. You want to sell passkeys as very easy but it would be better to be clear from the very beginning what is whose responsibility and pass manager labels management is not the webservice providers responsibility. Again, it is a self-discussion about deleting username fields from the spec vs. 1 or 2 optional fields. MAking the fields required is 100% wrong. -- GitHub Notification of comment by r-jo Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1915#issuecomment-1684037160 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 18 August 2023 14:52:37 UTC