Re: [webauthn] Support a "create or get [or replace]" credential re-association operation (#1568) from Mitar via GitHub on 2025-07-02 (public-webauthn@w3.org from July 2025)

From: Mitar via GitHub <noreply@w3.org>
Date: Wed, 02 Jul 2025 20:04:39 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3029162289-1751486676-noreply@w3.org>

Not really. For example, what happens if I trigger "immediate mediation" flow and user gets a prompt to unlock their secure key, but presses "cancel". Probably "immediate mediation" flow will return "not found" so I will think that user does not have a key registered and will start "create" flow, overwriting an existing residential key for the origin, forever preventing user to recover their account.

So "getOrCreate" has to be atomic, one action, with clear semantics never to overwrite the existing residential key for the origin.

-- 
GitHub Notification of comment by mitar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1568#issuecomment-3029162289 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 2 July 2025 20:04:39 UTC