- From: Ken Buchanan via GitHub <sysbot+gh@w3.org>
- Date: Fri, 28 Mar 2025 20:32:26 +0000
- To: public-webauthn@w3.org
> Sites can use that extra bit of information to lock out users who have credentials for the site but don't want to log in for whatever reason. A few sites like Twitter and Instagram show some content to logged-out users but aggressively try to coerce them to log in. With this feature they could be even more obnoxious. I agree this is a concern. Sites do this now using cookies, but this would make that problem somewhat worse because users who have manually clear their cookies might still have the existence of a sign-in credential apparent to the site through this mechanism. This is part of the reasoning why this feature would not work in private browsing modes such as incognito. It provides a way for users to hide the existence of credentials. > I can also see a usability problem when the account I want to log in to Twitter with is a different one from the one that my browser knows about. Yes. If you have two accounts, and one has a credential that will appear in this UI and one does not, then this adds friction signing in with the second account. That's a trade-off. -- GitHub Notification of comment by kenrb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-2762403960 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 28 March 2025 20:32:27 UTC