Re: [webauthn] Support a "create or get [or replace]" credential re-association operation (#1568) from Mitar via GitHub on 2025-07-10 (public-webauthn@w3.org from July 2025)

From: Mitar via GitHub <noreply@w3.org>
Date: Thu, 10 Jul 2025 09:09:05 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3056464657-1752138542-noreply@w3.org>

> That will have issues with user having multiple devices and credentials not syncing.

I had more in mind Yubikey devices, where you can move your keys with you between devices. So if you have the physical device, you can authenticate. The goal is to have authentication without any PII. With usernames people can use something unique, but it is not necessary unique, so you still have to treat it like PII. And also that the flow is simple, you plug-in your Yubikey, you authenticate, and you can do it for first factor, too.

When user is using multiple devices without syncing credentials, they can link multiple of those devices to the same account. And then use any of them to gain access. So username is really not required.

(I also do not see how having username helps with sign-in process if they have multiple devices and their credentials didn't sync - username does not help them sign-in.)

>  And you are fine with having a constant userName for the user in system UI because at the time of credential creation you don't know who the user is?

Constant userName would only be in the context of Webauthn, once they sign-in, they can setup whatever they want to be shown in the app itself. In the Webauthn account selection box, yea, it would just show one username, the name of the app, for example.

> If get call fails, you can randomly generate new userHandle and invoke create. As userHandle is random, existing credential will not be overwritten.

Sure, but then they have two accounts/credentials with random usernames in their Webauthn selection dialog. They didn't lost access to the other one (that is better), but now they have to know which one to pick. Our app can link eventually both of them to the same account, so that could be of help, but it still makes the user ponder the question "which one I have to pick".

-- 
GitHub Notification of comment by mitar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1568#issuecomment-3056464657 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 10 July 2025 09:09:06 UTC