- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Thu, 05 Jan 2023 00:01:22 +0000
- To: public-webauthn@w3.org
> From our point of view, the proposed changes would not help with the issue of limited storage on physical security keys when it comes to passkeys, because a passkey _needs to be a discoverable credential_ for the passwordless flows to make sense. usernameless/passkey here not passwordless. passwordless isn't always an rk. Regardless, there are many models of security keys that have less than 32 rk slots available. Please look at your password manager and tell me if you have more than 32 passwords saved. I know I have more than 150. Even if we want to live in the dream and wish for passkeys and this nice experience, we live in the real world, and users can and will choose to use security keys with finite storage. A key point of the wg here is that users should be free to choose their authenticator that they use and forcing rks consuming limited space goes directly against that. As well, many android phones simply lack updates or have telcos that refuse to push them out, so it could be literally years before "passkey support" on phones is ubiquitous even with conditional ui. Second, currently there is no practical difference between rk=preferred and rk=required, so the suggestion by @MasterKale would actually add a differentiating factor to that. This is why passwordless should be the default and passkeys are an opportunistic upgrade. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1822#issuecomment-1371560535 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 5 January 2023 00:01:23 UTC