Re: [webauthn] Add a method to get all the credentials for a rely party on the client device to support the rely party (website) to limit the number of accounts a user can register (#2222) from Shane Weeden via GitHub on 2024-12-27 (public-webauthn@w3.org from December 2024)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Fri, 27 Dec 2024 03:32:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2563277877-1735270365-sysbot+gh@w3.org>

I'm sure it will come up as a topic at the next WG call, and will let that process take its course, but I'm almost certain the answer will be against. There isn't even a discovery API to figure out if *any* credential exists at all, let alone provide a number. This is why the "autofill UI" (also known as conditional mediation) version of WebAuthn behaves the way it does. The notion of whether or not a credential exists on the client device and is shown in autofill dropdown to the user is not discoverable to the RP until the user decides to use it. The RP is not entitled to know this - again for privacy reasons. 

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2222#issuecomment-2563277877 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 27 December 2024 03:32:48 UTC