- From: Tim Cappalli via GitHub <noreply@w3.org>
- Date: Fri, 24 Oct 2025 16:29:06 +0000
- To: public-webauthn@w3.org
> but if the user agent didn’t have any credentials to show in modal UI, rather than immediate signal that state, the callback simply is not called. The challenge is I think it prevents the original goal of the feature which is to allow graceful fallback to other authentication methods. Outside of the RP having a short timeout value (e.g. after 5 seconds, abort the request and move on), I can't think of a way to do this gracefully. > However, I think it is problematic that such a call will leak information to the RP about whether the user has a saved passkey for the website. I generally share the same concern, but can't think of another way to address the original intent of the feature, which is a top concern for large RPs. -- GitHub Notification of comment by timcappalli Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-3444001506 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 October 2025 16:29:06 UTC