- From: Matthew Miller via GitHub <noreply@w3.org>
- Date: Fri, 17 Oct 2025 22:41:56 +0000
- To: public-webauthn@w3.org
> Has the inverse also been considered in addition to this? Specifically the ability to prevent backup eligible keys from being produced. For setups where security is the priority over usability this would hold a lot of value I think. This is my my main concern with this proposal: this new specifiable requirement, as per the explainer... > _...lets a relying party indicate that only platform authenticators that support syncing should be eligible to serve a make credential request_ ...opens the door for someone else to come in and request a complimentary feature of a specifiable requirement for only authenticators that are capable of creating device-bound credentials; how could we as a WG continue pushing back on such requests if we let this through? Put another way, this feature would put security key users at a disadvantage, and as passkeys are a "bring your own credential manager" authentication method, I think this would move the needle too far towards, "bring what the RP says you are allowed to use." It'll still lead to fragmentation albeit one that's skewed towards syncing providers. Is it a beneficial enough shift for us to change our stance on authenticator pre-selection? The question will make for some good WG conversation. And as was called out in the explainer (thanks for going the extra mile here @nsatragno 🙏)... > _Authenticators are and have been moving towards syncing, not the other way around. With Microsoft [announcing synced passkeys are coming to Windows](https://blogs.windows.com/windowsdeveloper/2024/10/08/passkeys-on-windows-authenticate-seamlessly-with-passkey-providers/), the overwhelming majority of users will have access to a synced provider soon (the opposite is true of device-bound authenticators). Limiting authenticators to syncing only can help bring some coherence to relying parties that don't want and don't need to have their users deal with the UX challenges of pre-syncing authenticators._ ...I agree that consumers are seeing more and more syncing options, and agree that this is a good thing. But if we want to keep WebAuthn on a "bring your own keys" track then we can arguably improve things for consumer use cases by proposing better UX for RPs handle account recovery instead. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2342#issuecomment-3417437497 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 17 October 2025 22:41:57 UTC