Re: [webauthn] Conditional create with existing passkey (#2296) from Matthew Miller via GitHub on 2025-05-27 (public-webauthn@w3.org from May 2025)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Tue, 27 May 2025 14:40:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2912778462-1748356840-sysbot+gh@w3.org>

> But the developers probably never actually want to replace any existing passkeys with a conditional create call, (and possibly bother the user with confirmation UI for a passkey they already had). They could achieve this by passing an excludeCredentials list with all known credential IDs for the user.

Changing the re-registration rules for conditional create could make conditional create more confusing. If a user deletes a passkey from the RP's website, thus causing state desync between authenticator and RP (because the RP didn't use any of the Signal APIs 😏), then a subsequent conditional create request with an empty `excludeCredentials` but same RP ID and user ID should arguably lead to the authenticator overwriting its existing passkey just like with a typical `.create()` call.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2296#issuecomment-2912778462 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 27 May 2025 14:40:43 UTC