Re: [webauthn] [Superset] Updating credential metadata and requesting deletion of stale credentials (#1967)

Maybe a crazy take on the other direction, but I think would make things simpler: if passkeys are designed to identify a single person (maybe using multiple devices in sync), why not just remove the `name` and `displayName` from the protocol?

If they wish a label, users can still label a passkey directly on their client, but not necessarily with a name coming from the RP, the same way right now it's possible to change it in some client implementations. For example, if someone shared a passkey with me, my client could automatically label the passkey as "Alice's passkey"; or I could create a second passkey for an RP and my client would ask me how I want to name it so I can distinguish them; but by default they would have no label.

RPs can still allow a single passkey with multiple accounts by presenting an account selector after login.

This does not address the point of credential deletion, but I think that's quite a differentiated need. Maybe this doesn't need to be provided, either. After all, if I change the lock on my apartment, there's no more lock; I am responsible for disposing of the key. I can see many ways this could go wrong: RPs that disappear without wiping their user's passkeys (for example, the company goes bankrupt or the domain name is changed) or an RP accidentally removing their user's passkeys and locking them out.

-- 
GitHub Notification of comment by jgimenez
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1967#issuecomment-1842442215 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 6 December 2023 08:46:28 UTC