- From: Kostas Pyliouras via GitHub <sysbot+gh@w3.org>
- Date: Sat, 09 Dec 2023 15:03:15 +0000
- To: public-webauthn@w3.org
Some thoughts from our perspective as a bigger-sized RP: the proposal by @nsatragno + @arnar addresses real concerns we have in planning passkeys rollout with existing users (and we also consider it blocking). - **Changing login identification:** - Email addresses: In the consumer field, email addresses change quite frequently. With conditional UI, these would lead to a lot of issues and support questions without any possibility for us to help. Often the old email is lost or deleted (e.g. migration to Gmail which is an ongoing trend) and would lead to a lot of uncertainty for the average consumer. This is a huge issue for any national RP that has been on the market for 10-15 years+. At the same time, they need passkeys the most. - Phone numbers: Change even more often. - **Deleted passkeys:** Stale passkeys are also part of our thoughts, but can be acceptably mitigated with the current standard by using an AllowList. However, it is not ideal: - For conditional UI without some local information (cookie/LocalStorage) as a hint to who the user might be, this means deleted keys will show up, confusing users indefinitely. - For authentication: We would still prefer an empty AllowList more because some browsers behave slightly differently when you have an AllowList that cannot be matched vs. an empty AllowList (but that is a minor issue). We thought we would "chime in" as an RP. We know our focus here is on consumer-heavy situations, primarily focusing on passkeys/discoverable credentials. This is not to say all other perspectives are not important; it's just our perspective. -- GitHub Notification of comment by kopy Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1967#issuecomment-1848433321 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 9 December 2023 15:03:18 UTC