- From: Martin Kreichgauer via GitHub <noreply@w3.org>
- Date: Mon, 27 Oct 2025 18:50:36 +0000
- To: public-webauthn@w3.org
> * The user may have multiple passkeys. Which one is your conditional create call replacing? Even if you only call conditional create after a sign in with a passkey (to give you some confidence that specific passkey will be replaced), it could be that a different one gets replaced! Ignoring this fact and calling the signal API after could result in the user losing their valid passkeys. Would conditional create really replace any passkey under the old RP ID though? I'd imagine the client allowing the request if the user has another passkey with matching username under a related linked RP ID, but it wouldn't replace that passkey. (Just conditional create requests don't replace passwords either.) If the RP wants to clean up the existing passkey under the old RP ID, they can do so via the Signal API, right? (But, as you point out, passkey assertions being limited to a single RP ID are really the limiting factor here.) -- GitHub Notification of comment by kreichgauer Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2350#issuecomment-3452817562 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 October 2025 18:50:37 UTC