- From: r-jo via GitHub <sysbot+gh@w3.org>
- Date: Sun, 02 Jul 2023 20:50:16 +0000
- To: public-webauthn@w3.org
r-jo has just created a new issue for https://github.com/w3c/webauthn: == username and display name should not be mandatory (rp, challange either) and OS UX should be simplified if not present == ## Description PublicKeyCredentialUserEntity has mandatory fields by create(): **name** and **displayName** even if there is an anonym user id which is given to the server as "user handle" after a get() and what we can and should use for possibly private-as-possible user identification. **These fields should not be mandatory** and **OS UX should be much simpler** if these fields are not used. For **simplicity and privacy** it is possible not to use phone numbers, emails or user names. OS should create a ux: Creating passkey for xyz.com web domain (which will be synced to your Apple/Google/Microsoft/Third Party pass manager). I think there is a username fetish which can be tied to passwords that are going to be replaced with **device based security** (even if private keys are synced and stored, passkey is rather device based if I understand well). With passwords you could log in from everywhere and though you do not really need usernames if the pass is long enough, it was personal and intuitive and now people seem to think it is a must (which is not the case). We actually **do not need usernames anymore**. The new way is to have a **personal protected OS account** even if the device is common. You protect it with biometrics and PIN. The user is tied to devices (actually OS accounts) that (s)he should own. We can use **access tokens and crypto keys** to create an implicit account and only if the user wants some more robust recovery, we can give a recovery key (a long password without username) or even better as I recon: a passkey which is synced and stored in the pass manager. For normal people it will be Apple and Google pass manager which is ok because those who dont care, save everything via Apple or Gmail anyways. Those who care (gmx, protonmail, 3rd party pass manager etc), can have the option for a third party pass manager as I see (os api). Again: the user identity is actually the normally 1-3 personal protected os account (and efforts should be made that people create own os account on common devices). The implicit account can be verified via session management and subtle crypto (netflix pushed it and netflix uses it too), actually the same way as by passkeys: private key in browser indexed db non extractable key, public key on server. Of course clearing the browser is equivavalent to device loss, so **at the right point, preferably with passkeys** users can create explicit accounts where the private key is stored in a pass manager. I feel some confusion because **I do want the same user id/handle** and in the specs you see: "the user handle ought not be a constant value...". Well I do not want a user (=user of 1,2,3 devices/os accounts) to create more than 1 account. I think it is again a perversion from the old times. I need one google account actually and if Google makes it possible, I can create more email adresses inside(!) where I switch easily. Nobody needs more than 1 google account but we create burner accounts because every *** website wants our email adress and it can be personal (our name). It is not private against Google that we create more accounts, it is private against web services who want our email adress. I do not want to fight the system but **I want to point out that actually the normal behavior would be to have private anonym accounts without username**, email, phone number and add these information if and only if needed (I would add my phone number to Google for recovery since I might recover with my real identity through the phone company but actually 90% of web domains dont need email, phone or usernames). I think it would be nice to **give websites at least the possibility to offer truly private accounts** easily without this complexity. However, with this API I have to write something like: xyz.com user as username and citizen of xyz.com as display name and the **whole OS UX is overcomplicated**. I will never use username or display name, I will use the anonym user id/handle. In addition, for simplicity, **rp and challenge fields** should not be mandatory, either. Perfectly fine to use window.location.hostname and if OS needs a random value, they are more than capable to create for themselves if I do not create any... even better because I have no idea if it is needed and 16 or 32 bytes etc. is better or the whole thing is totally unimportant. ## Related Links https://w3c.github.io/webauthn/#dictdef-publickeycredentialuserentity Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1915 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 2 July 2023 20:50:18 UTC