- From: Rishikeshan Sulochana/Lavakumar (Work) via GitHub <noreply@w3.org>
- Date: Sat, 04 Apr 2026 18:38:49 +0000
- To: public-webauthn@w3.org
I too would like to have a way to use Passkeys without JS. Normal username/password can already be used without JS, I think there should be an HTTP header-based approach, too, like HTTP BASIC or HTTP DIGEST. MTLS already works similarly but the prompts aren't very pretty and the user experience isn't that good. (1) For security-related software, it does not really _make sense_ to require **Javascript** as it is one of the largest attack surfaces. (2) Another use case is in command-line environments or simply to download a file using cURL or other CLI utilities. (3) Resource-constrained devices cannot use Passkeys due to its reliance on JS, either, noninteractively. I was in the passkeys train but I would rather prefer MTLS if it had a better UI due to the reasons above. I don't think passkeys solve anything MTLS doesn't already solve except for "origin binding". Wish we also had "origin binding" for MTLS too, but it is a layer or two underneath (TLS layer). Regards, Rishikeshan S/L. -- GitHub Notification of comment by ris-work Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-4187558641 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 4 April 2026 18:38:49 UTC