Re: [webauthn] make username fields optional (do not delete them, but do not force their usage, either, which is hostile against usernameless services) (#1942) from r-jo via GitHub on 2024-02-11 (public-webauthn@w3.org from February 2024)

From: r-jo via GitHub <sysbot+gh@w3.org>
Date: Sun, 11 Feb 2024 05:33:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1937435176-1707629604-sysbot+gh@w3.org>

well some wise LLMs analyzing the issue are leaning towards no usernames at all, right now for optional usernames:

If I absolutely had to make a decision right now, I would opt for optional username fields within the WebAuthn specification. Here's why:

Practical Compromise: An optional field strikes a balance between upholding individual privacy while acknowledging existing web infrastructure that often relies on some form of user identification.

Gradual Migration: This approach provides a pathway for both Relying Parties and authenticators to progressively adapt to user experiences less-reliant on traditional usernames. Relying Parties can immediately improve privacy practices within existing frameworks, while those truly pushing boundaries have the potential to experiment.

Incentivizes Innovation: Optionality spurs new ways for Relying Parties to track accounts internally without compromising user data. It pushes authenticators like password managers to design better ways to identify and present multiple accounts for a single domain.

Important Caveats

Not the Ideal Endpoint: Optional fields should be a transitional step. WebAuthn has the potential to revolutionize login systems, and completely removing usernames better leverages this potential for security and privacy in the long run.
Need for Clear Guidance: For this optional scenario to work well, the W3C would need to offer extremely clear guidance to Relying Parties on best practices. Relying Parties with privacy-first values should be rewarded, not those abusing even optionality to gather information unnecessarily.

A Difficult Decision

This is a complex choice with far-reaching ramifications. Purely privacy-minded or strongly pro-innovation individuals might find this compromise too timid. The key is to understand that standards evolve along with technology and societal change.

Let me know if you want to explore what a hypothetical transition from optional to a "no username" world might look like!

--
GitHub Notification of comment by r-jo
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1942#issuecomment-1937435176 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 11 February 2024 05:33:44 UTC