- From: philomathic_life via GitHub <noreply@w3.org>
- Date: Wed, 16 Jul 2025 19:52:26 +0000
- To: public-webauthn@w3.org
This proposal accepts the hit in UX that a hypothetical `getOrCreate` operation would not suffer from; at which point, I think the [suggestion](https://github.com/w3c/webauthn/issues/1568#issuecomment-3056112151) from @akshayku should satisfy your needs namely that instead of using a constant user handle for your application, you use a random one. While yes, in the event `get` fails for some reason and an authenticator is "attached" that has an "account", it will cause the user to have two separate "accounts". Your application already provides a way to "link" accounts, so these two accounts can be linked; or even better, in the event the user doesn't want to keep the newly created "account", your application would delete the new "account" and inform the user to delete the appropriate credential from their authenticator. You're willing to take the hit in UX already, so perhaps this additional hit is also acceptable. One benefit this approach has that your ideal approach doesn't have is it allows users to have multiple _separate_ accounts while still using the same authenticator. Why must you force users that want separate accounts to use separate authenticators? It's not _that_ rare for users to want separate accounts. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2313#issuecomment-3080085049 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 16 July 2025 19:52:27 UTC