- From: Tim Cappalli via GitHub <noreply@w3.org>
- Date: Thu, 14 Aug 2025 18:06:16 +0000
- To: public-webauthn@w3.org
Just another reminder that this is not a new capability and has existed in WebAuthn since L1 and is a critical part of the authenticator and credential data model. > Do we have deployment experience yet with user handles to evaluate whether RPs are complying with the in-spec advice? There are hundreds of millions (if not billions) of passkeys in the wild. IMO, it is not the WG's responsibility to police websites implementations of a feature. It is, however, in scope for server certification programs. > If actually they're just going to be user-specific usernames, it might be time to update expectations and instead consider any impacts on privacy as a result. A user handle is not a username. > If they should be an opaque random number, maybe the client should generate it and return it to the RP? This is not possible, as it is needs to be an RP-managed identifier. -- GitHub Notification of comment by timcappalli Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2324#issuecomment-3189413063 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 14 August 2025 18:06:17 UTC