- From: Mitar via GitHub <sysbot+gh@w3.org>
- Date: Fri, 24 Nov 2023 09:24:18 +0000
- To: public-webauthn@w3.org
I was also surprised that this does not already exist. When I heard about keypass I really though that we finally got to the place where I can just show one "Sign in" button on the site and user can sign in. If user does not have an account, an account is created for them the first time. Similar to how social authentication works, only that the user keeps control through their device/platform or security keys. I also would find this further the privacy of the user: no usernames or even e-mails. Just opaque credential ID. They can provide e-mail maybe for account recovery, but it is not required. Also, browsers could then manage multiple accounts per site and sites would not even have to know about that (again a privacy win). But currently it seems this is not possible. `getOrCreate` in my view (in that order) would achieve that for residental keys. I would ask if any key is registered for the site and if not, a new one would be created (of course with user giving consent to the browser to do so). In my view the response could really be `PublicKeyCredential` with `AuthenticatorAttestationResponse` or `AuthenticatorAssertionResponse`, depending if the key was created or just retrieved. -- GitHub Notification of comment by mitar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1568#issuecomment-1825372580 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 November 2023 09:24:20 UTC