- From: Matthew Miller via GitHub <noreply@w3.org>
- Date: Mon, 27 Oct 2025 01:56:06 +0000
- To: public-webauthn@w3.org
MasterKale has just created a new issue for https://github.com/w3c/webauthn: == Consider RP ID migration use cases == ## Description We're seeing some websites facilitate the migration of current passkey users to passkeys bound to a new RP ID. For example, https://x.com is communicating their upcoming migration of users away from `twitter.com`-scoped passkeys to new passkeys scoped to `x.com`. Without diving too deep into their migration UX, it seems X/Twitter is requiring users to go through a typical modal registration flow. Over time it's inevitable we'll see some other sites want to facilitate a similar migration. Some discussions around this explored a couple of possible ways the spec might be expanded to make it easier for an RP to more seamlessly migrate their users to passkeys at a new RP ID. I'm capturing some of them here to kick off discussions around how, if at all, we might add or refine functionality in L4 to make RPs' lives easier: 1. **Open up conditional create** to not require an auth to have _just_ occurred. This could benefit sites that use long-lived sessions and thus users are not often asked to re-auth 2. **Add a new signal** of some sort to allow an RP to trigger the rebinding of an existing passkey to a new RP ID 3. **Do nothing** and expect RPs to use the typical modal WebAuthn registration flow This list of options shouldn't be considered exhaustive. We should talk about the RP ID migration use case specifically and see what ideas might come out of such discussions. ## Related Links N/A Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2350 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 October 2025 01:56:09 UTC