Re: [webauthn] Privacy risk from revealing allowed credentials (#1246) from Firstyear via GitHub on 2025-12-23 (public-webauthn@w3.org from December 2025)

From: Firstyear via GitHub <noreply@w3.org>
Date: Tue, 23 Dec 2025 02:24:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3684818210-1766456675-noreply@w3.org>

Once again - passkeys generally are resident keys. Credential ID's *are not sent* when you are doing assertions with resident keys.

You *only need this* if you are doing *passwordless* flows, or non resident flows. 



-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1246#issuecomment-3684818210 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 23 December 2025 02:24:38 UTC