- From: Emil Lundberg via GitHub <noreply@w3.org>
- Date: Thu, 10 Jul 2025 09:04:29 +0000
- To: public-webauthn@w3.org
This seems like it shouldn't be the RP's responsibility to worry about. The issue is deeply entangled with particular implementations and the CTAP protocol specifically - that's not something we should introduce new parameters to handle, rather we should clarify the spec where needed, i.e., where implementations diverge. Which it seems they do: in my testing, Chrome does not behave the same way you describe. Even with `credProtect: "userVerificationOptional"`, Chrome seems to always prompt for PIN when authenticating with a discoverable key on a security key, so it always displays the names in the credential picker. Of course at the cost of a PIN prompt even when it could probably be skipped, technically; maybe that choice was made to make the UX more consistent, I don't know. Also: a new `userVerification` value wouldn't help much in the near term, because browsers not yet updated to understand the new value would just fall back to the default (`"preferred"`) which seems like the opposite of what you're asking for. We would have to introduce a whole new parameter in order for RPs to express this new preference in a backwards-compatible way. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2310#issuecomment-3056447675 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 10 July 2025 09:04:29 UTC