Re: [webauthn] [Superset] Updating credential metadata and requesting deletion of stale credentials (#1967)

> * Desire to signal to a client/authenticator that a specific credential is no longer valid and can be deleted
> * Desire to signal to a client/authenticator that `name` and/or `displayName` has changed

_Yes please._ The first one especially is highly desirable because passkey self-service must happen in two places, once on the RP's side and then a follow-up action within the provider's interface, and it's _very_ easy for the two to fall out of sync.

And I see adding the ability to update a credential's username and display name as highly desirable because it makes WebAuthn adaptable to real people problems. People change their legal names, online handles, email addresses, and other things that get used as usernames for a multitude of reasons, and right now the story for getting passkeys to respect this is limited to, "have the RP make a `.create()` call with the new name but same RP ID and user ID, and then hope the user uses the same authenticator as before so the old credential and its outdated metadata get overwritten." 

There's too much ambiguity in this current process that users can end up with two credentials, one with their old handle and a second one with their updated handle, thus exacerbating the RP's problems. I'd love for us to spend some more time on this in upcoming meetings to try and discover a better solution.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1967#issuecomment-1732731787 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 25 September 2023 00:46:27 UTC