- From: Akshay Kumar via GitHub <noreply@w3.org>
- Date: Wed, 22 Oct 2025 16:28:25 +0000
- To: public-webauthn@w3.org
After thinking about it for two weeks, I cannot support this proposal. > A syncing platform authenticator is required because we don't want users to end up without being able to sign in to relying parties after their devices break, with hybrid excluded because the hybrid user experience is worse than a traditional password based form. This train of thought is flawed. This assumes that all there are only one kind of RPs. It is an RP's implementation detail on how they want to deal with accounts if they receive non-syncing authenticator. Also, Platform vs non-platform is again RP's choice. May be RP is ok with two security keys. May be RP is OK with one non-syncing platform authenticator and a security key. May be RP wants only synced passkeys. This proposal is actively disallowing non-backed up authenticators. > However, the fact we're going the other way completely changes the trade-offs: it's the same direction authenticators are moving. Maybe or May be not. That doesn't mean that we forbid existing authenticators who do non-backed up credential and actively disallow other authenticators/RPs. > However, there remain a few notable platform authenticators without the ability to sync. Thanks. That is a feature. > Currently, there is no way to specify that these providers should be excluded from the list of eligible authenticators Currently there is no way to specify that syncing providers should be excluded from the list of eligible authenticators for RPs who care about security and have a different mental model on how to secure their users. We cannot say that some RPs use case is better than others. Some RPs want to create synced passkeys. Some RPs want to create backed-up credentials only. If we deny one set of RPs stating fragmentation and user choice reasons, same arguments apply for the other set of RPs. Overall, I am against this proposal. -- GitHub Notification of comment by akshayku Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2342#issuecomment-3433238972 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 22 October 2025 16:28:26 UTC