- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 18 Aug 2023 16:32:16 +0000
- To: public-webauthn@w3.org
Yes, WebAuthn doesn't need the usernames internally, but human-comprehensible labels are still needed for human end-users to understand and what each passkey is for. Also, it occurred to me just now that your original ask is based on a false premise: > **These fields should not be mandatory** and **OS UX should be much simpler** if these fields are not used. But the reality is that if they were optional, then the client UI would have to have _more_ steps than if they were set, not fewer. As established above, it's not feasible to leave passkeys without a user-comprehensible label, so the client would have to ask the user for one if the RP doesn't. Then if the user chooses to create another passkey for the same account on an additional authenticator, they'll probably want the same label on both passkeys. The RP is better equipped than the client to choose and remember a suitable "account label" for any future passkeys the user may choose to create for the account. I fully agree that choosing suitable values for `user.name` and `user.displayName` in a username-less application is difficult - I'm experiencing this firsthand right now in a project I'm working on - but making the fields optional is not an appropriate solution. At its core, this is an inherent challenge in the very concept of username-less accounts. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1915#issuecomment-1684161276 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 18 August 2023 16:32:18 UTC