- From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
- Date: Sat, 25 Nov 2023 07:10:19 +0000
- To: public-webauthn@w3.org
Whatever the use case and considerations, having a method: `credentials.exists(rpId)` *is* useful to adapt the UX accordingly. In the simplest case, just to highlight a button "Sign in with your passkey" while suggesting two other buttons "Sign up" or "Use roaming device" in the other case. It does not carry any personal identifying information either, so it's safe. ---- @agl If I understand right, the potential tracking risk you mention goes as follow: - user goes to `weird-subdomain-just-for-him.tracker.xyz` - user registers with webAuthn - each time user visits `weird-subdomain-just-for-him.tracker.xyz`, that person can be tracked But that logic is flawed since you need to redirect the unknown user to the right subdomain in the first place. In other words, you need to identify it before making the redirect. While we talk about privacy, the concrete situation we are in is that "discoverable" credentials are pushed. All such credentials are synced with Google/Microsoft/Apple having de facto a copy of your account keys. Greetings to NSA by the way. That's very ironic to say the least. --- Regarding the `getOrCreate`, I agree with @mitar that `getOrCreate` would be an alternative solution for the default use case. Since you cannot know if the user has an existing credential or not, just let the user pick an existing one or create one on demand... But UX related still sub-par compared to `exists` which can guide the user and customize UI accordingly. -- GitHub Notification of comment by dagnelies Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1826236789 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 25 November 2023 07:10:21 UTC