- From: Mitar via GitHub <noreply@w3.org>
- Date: Wed, 09 Jul 2025 21:43:47 +0000
- To: public-webauthn@w3.org
The use case is simple. Having an app with one button "Sign-in with passkey". If user does not have an account with their device, one is created for them. If they do have, they are signed-in. No username, no user ID. User authenticated by having access to the device and being able to use it to do the authentication flow using WebAuthn. User account on the RP side is created after authenticating for the first time. This is the why residential/discoverable keys are great. The only issue currently is, you or user can override them by accident if RP does a "create" call when key is in fact present. Why point is, why would username be required, if one has (discoverable) credential ID to determine the user account on the RP side. It works great. Except for the "override by accident" situation. -- GitHub Notification of comment by mitar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1568#issuecomment-3054169871 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 9 July 2025 21:43:48 UTC