Re: [webauthn] [Superset] Updating credential metadata and requesting deletion of stale credentials (#1967) from Nina Satragno via GitHub on 2023-10-04 (public-webauthn@w3.org from October 2023)

From: Nina Satragno via GitHub <sysbot+gh@w3.org>
Date: Wed, 04 Oct 2023 18:58:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1747466898-1696445896-sysbot+gh@w3.org>

I don't think we want to tie the update to an assertion, whether through an extension or a method on the returned `credential`. We should support an RP triggering updates & deletions without requiring a user to complete an assertion ceremony for each authenticator they own, e.g. from a settings page.

I prefer the static function approach. Especially if we can update other credential types on the same call. A possible API could be,

```javascript
navigator.credentials.update([
  { type: "public-key", id: ..., displayName: ..., etc ])}  // missing attributes are ignored
]);

navigator.credentials.delete([
  { type: "public-key", id: ...])}
]);
```

These would not be guaranteed to do anything. The browser would execute these actions opportunistically. For example, if a user just used a security key to sign in and the RP calls `delete`, the browser might send a ctap credential management request to the security key. Local platform authenticators would likely always be able to perform these. The counterpoint is that if the authenticator is not available, it's probably okay to not bother the user finding & activating it to make an update.

In my mind, an RP would call the same `delete` function in two different contexts: their "manage passkeys" settings page, and after a failed sign in attempt with a previously deleted, now unrecognized passkey.

`update` could similarly happen at both of those stages. However, currently the user's `name` and `displayName` are not part of the assertion, so the RP would have to call `update` after every sign in which seems suboptimal.

--

There are pros and cons to making this an action users have to consent to (and therefore, that we can inform the website that an update took place) vs a silent update. I think I prefer making these updates silently, so that RPs can build whatever experience they want around it, and we don't need to bother users twice. Showing UI for an update would also not be that dissimilar to calling `create` to override an existing passkey. But I would love to hear what RPs think!

-- 
GitHub Notification of comment by nsatragno
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1967#issuecomment-1747466898 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 4 October 2023 18:58:20 UTC