- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Tue, 27 Jun 2023 16:38:59 +0000
- To: public-webauthn@w3.org
A continuing "issue" with `userHandle` is that it remains non-required even in the draft of L3: https://w3c.github.io/webauthn/#dictdef-authenticatorassertionresponsejson From an RP's perspective this means that even if we want to leverage `userHandle` during auth we have to build our auth system to fall back to internally identifying the user solely by credential ID. And at that point it seems architecturally cleaner to just forego using `userHandle` at all. > Should we make that clearer or more prominent? I think maybe we emphasize this as the primary benefit of `userHandle`. Its use by RP's for supporting "duplicate credential ID's for multiple user accounts because of cosmic bad luck" is probably not as compelling a use case in 2023. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1909#issuecomment-1609874683 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 27 June 2023 16:39:01 UTC