- From: Kyle Simpson via GitHub <noreply@w3.org>
- Date: Tue, 23 Dec 2025 05:11:21 +0000
- To: public-webauthn@w3.org
Android has an (unfortunate, IMO) behavior where the only way to register a device-bound (not cloud synced through GPM) passkey is to tell create() `residentKey: "discouraged"` (IOW, not discoverable). So I consider it a first-class use-case that people may be choosing such non-discoverable keys even if they're on devices that are fully capable of doing so. I *wish* Android let you do device-bound discoverable passkeys, but for some reason they don't. Related: they also don't require cloud-based (GPM synced) passkeys to be discoverable. So users who choose to create a device-bound passkey (on Android) will *have* to provide their account identifier (email, etc) on every login, to have the RP look up their non-discoverable device-bound passkey. My `/api/login-challenge` endpoint thus absolutely has to be return `allowCredentials` lists for any calls that submit an account identifier. -- GitHub Notification of comment by getify Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1246#issuecomment-3685132861 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 23 December 2025 05:11:22 UTC