- From: Firstyear via GitHub <noreply@w3.org>
- Date: Sun, 17 May 2026 02:17:11 +0000
- To: public-webauthn@w3.org
> We are starting to see real world deployments of credential exchange, allowing passkeys to be transferred or copied between passkey providers. Apple, Dashlane and Bitwarden already have offerings and these were demonstrated at Authenticate 2025. > > RPs capture an AAGUID at registration time and use it to assist with user self care (USC) interfaces to display passkey providers icons and descriptions. These are static and become stale following use of a passkey from a new provider after a credential exchange event. Nothing stops the credential being active in *multiple* passkey providers after the credential exchange occurs. There are also out-of-band methods to achieve this (such as Bitwardens credential backups etc). The credential exchange specification in it's own introduction states: """ ... credentials that need to be migrated or referenced by one or more providers. """ https://fidoalliance.org/specs/cx/cxf-v1.0-ps-errata-20260309.html#sctn-intro So there is a strong likelihood that the credential ends up having conflicting and flip-flopping AAGUIDs as it is used between the various providers. This will only confuse users further potentially. It seems far easier to encourage RP's to allow users to name/alias their credentials then trying to solve this at a technical level in the specification. I can see this feature only further confusing the already muddy environments that Passkey providers have created. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2340#issuecomment-4468882299 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 17 May 2026 02:17:12 UTC