Re: [webauthn] make username fields optional (do not delete them, but do not force their usage, either, which is hostile against usernameless services) (#1942)

Interestingly enough, I had to pull back LLMs because they were so bullish on privacy.
What they did not understand (at first) how difficult it is to get rid of usernames AFTER you already introduced them and implementations build upon them that would break.
That is why it is a tool. You can challenge yourself, and you should challenge the LLM too.
Disregarding its output is very childish. Like those chess or go grandmasters that were sure of human superiority.

And I still lack any good arguments against OPTIONAL username fields.
Talking to extremly good (and not perfectly understanding) LLMs we could identify 2 possible arguments:
- some old authenticators (like some of the security keys) may be unable to handle usernameless credentials since they are built upon username/password logic... I do not know anything about this and I would have never considered this myself. Still, as the LLM said, it should not be what guides the design of a future proof and privacy conscious design of a spec
- but everything boils down to multiple accounts... practically no other argument. What happens in the authenticator/pass manager, how should it be handled. First, I must add, OPTIONAL username fields let everybody push down initial labels for the entries. What I would want is that it is also possible to OPT OUT of this. Logically webauthn is usernameless. The user is/label is used to identify private keys in the authenticator and public keys on the server. Usernames are just possible labels. If we could opt out of using them, the case of single accounts would be very simple and the authentication process would be a breeze. Without account choosing step just what the authentication needs: a biometric local authentication and you are in. IF and WHEN a user creates multiple accounts, in absence of pushed down usernames the authenticator/pass manager would just ask the users to manage their labels. Default user facing label could be creation date. But here webauthn actually overreaches and forces a UX/UI logic in the authenticator/pass manager by requiring pushed down username fields.

Also, an LLM recognizes plenty of contradictions in the spec: how it is basically privacy focused and how these required username fields make it difficult to create future proof privacy driven authentication solutions (with passkeys and webauthn) that do not rely on usernames that are very often names, re-used nicknames, emails, phone numbers (as examples in the spec).

I am looking forward to actual discussions! Feel free to use(!) LLMs (with all their well known properties).

-- 
GitHub Notification of comment by r-jo
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1942#issuecomment-1943390828 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 14 February 2024 09:37:24 UTC