- From: Nina Satragno via GitHub <noreply@w3.org>
- Date: Fri, 17 Oct 2025 21:08:13 +0000
- To: public-webauthn@w3.org
I've split my proposal into two: * https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-requestUserInfo (this issue) * https://github.com/w3c/webauthn/wiki/Explainer:requirePlatformBackupEligibleCredential (#2342) I tried addressing the comments on the explainer. Unfortunately, GitHub issues don't lend themselves very well for proposal discussion, so I'll also try to comment here: > The current problem with usernameless is that user.name and user.displayName are required values when calling .create() `user.name` and `user.displayName` will be filled in by the browser from the identifier the uses chooses. They don't need to be supplied by the relying party, I agree that would be absurd. > Opting into this new behavior would also require opting into immediate mediation and use of signal APIs? Immediate mediation would not be required, but it would pair nicely. Like a _tira de asado_ and malbec. The signal API is really simple to implement, and relying parties should be doing that regardless of whether they implement this API or not. I don't think in the grand scheme of things this is that complicated, but I may be biased. > What if residentKey: "required" isn't also set? T Same as `residentKey` not set for platform authenticators. It's considered "required", except on Android where we do something very unintuitive and already have a footgun. I don't think this proposal introduces any footguns, but let me know if you spot one. > We as a WG have seen many attempts in the past to add stricter authenticator selection rules for the sake of RPs wanting to pre-select authenticators with desired capabilities... I think on the surface this seems similar to previous attempts to restrict authenticator selection to those that produce device-bound credentials. However, the fact we're going the other way completely changes the trade-offs: it's the same direction authenticators are moving. I wrote [some of my thoughts on the explainer](https://github.com/w3c/webauthn/wiki/Explainer:requirePlatformBackupEligibleCredential#previously-rejected-proposals-for-authenticator-selection). -- GitHub Notification of comment by nsatragno Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2336#issuecomment-3417227719 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 17 October 2025 21:08:14 UTC