Re: [webauthn] make username fields optional (do not delete them, but do not force their usage, either, which is hostile against usernameless services) (#1942) from Mitar via GitHub on 2023-11-24 (public-webauthn@w3.org from November 2023)

From: Mitar via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Nov 2023 08:05:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1825283609-1700813139-sysbot+gh@w3.org>

I agree that it would be useful that the whole `user` field would not be required and that would be then used for sites which expect only one user per site. Browsers could still allow internally to have multiple users if the user decides so, but site does not even have to know about that.

But current workaround is also pretty simple in my view. In [Charon](https://gitlab.com/charon/charon) an privacy preserving auth system I am working on, I simply do `{id: new Uint8Array([0]), name: "site.origin.example.com", displayName: "Site name"}`, `name` matching `id` from `rp` field, and `displayName` matching `name` from `rp` field. To the user I think this looks clear and simple. It is duplicated, but when shown as prompt in UI it makes sense, you are signing into the site with site name.

-- 
GitHub Notification of comment by mitar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1942#issuecomment-1825283609 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 24 November 2023 08:05:43 UTC