Re: [webauthn] Prevent browsers from deleting credentials that the RP wanted to be server-side (#1569) from Akshay Kumar via GitHub on 2025-07-16 (public-webauthn@w3.org from July 2025)

From: Akshay Kumar via GitHub <noreply@w3.org>
Date: Wed, 16 Jul 2025 16:54:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3079448004-1752684844-noreply@w3.org>

It is a long thread few recommendations still stand today. 

- Always pass all the credentials known to the RP to avoid accidental overwrite of existing credential. 
  - This solves the original issue for the user. 
- In the with-username flows, always pass all the known credentials. (this will cover discoverable as well as non-discoverable/server side credentials)
- RP can rely on InvalidStateError as a signal that there already exist a credential for the user. 

With conditional mediation being supported for some time now and immediate mediation coming into the future, I think we have a decent UI today. 

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-3079448004 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 16 July 2025 16:54:07 UTC