- From: Thomas Cannon via GitHub <sysbot+gh@w3.org>
- Date: Thu, 23 Jan 2025 21:28:25 +0000
- To: public-webauthn@w3.org
> I think this is the wrong train of thought to think of end-users directly .You can't reach all your end-users if RPs are having challenges with implementing the technology. The other angle is that JavaScriptless implementation makes passwordless auth ubiquitous for developers. Meaning that more websites will implement it and thus we'll reach more end users with this technology. > > Currently people who have perfectly secure but form based logins in php suddenly need to start thinking of adding JS to their stack instead of just having the payload that goes over the wire change. Imagine if we can upgrade a classic form to a WebAuthn form with just a line of code. It'd be really neat > > [...] In my experience many if not most login forms to date are JavaScriptless and session-based. We're telling all people to change this. Another important note: **every single browser, client, and device has Javascript disabled until it is parsed, read, and bug-free.** WebAuthn can't compete with the ergonomics & reliability of password-based, magic-link, or any other approach that can work through basic HTTP calls (via form submissions and browser requests). It's a non-starter for apps that work in slow data environments, flakey network connections; since users will not be able to log in if JS breaks. Deciding if there should be native, browser-based code for performing a WebAuthn handshake to a series of URLs is a bad idea, IMO. It tees up the feature to never be fully production-ready, because of the realities of how JS interacts in the browser. Put another way: browser advancements are letting us write more and more of our apps with less & less javascript. Authentication should follow that same ethos. -- GitHub Notification of comment by tcannonfodder Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-2611053256 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 23 January 2025 21:28:26 UTC