Re: [webauthn] Conditional creation incompatible with `uvInitialized` semantics in Chapter 7? (#2295) from Arian van Putten via GitHub on 2025-06-28 (public-webauthn@w3.org from June 2025)

From: Arian van Putten via GitHub <noreply@w3.org>
Date: Sat, 28 Jun 2025 17:19:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3015827917-1751131171-noreply@w3.org>

Though what you write makes sense I don’t agree with 

> primary use case for conditional registration is to seamlessly upgrade users that currently have just a password as the sole authentication factor.

I don’t think that’s RP’s expectations. Most people are looking at passkeys to replace password+TOTP.   So we need to explain things in that context.

So then conditional create not allowing without extra hoops . that is surprising and should be clearly explained in the spec to avoid misimplementation.

Google’s developer docs definitely don’t explain any of these nuances and don’t meet the bar at giving people the guidance needed to build a secure implementation.


-- 
GitHub Notification of comment by arianvp
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2295#issuecomment-3015827917 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 28 June 2025 17:19:34 UTC