Design Review #996

#996: Web Authentication's PublicKeyCredential signal methods

Opened Sep 19, 2024

こんにちは TAG-さん!

I'm requesting a TAG review of Web Authentication's PublicKeyCredential signal methods.

Allow WebAuthn relying parties to report information about existing credentials back to credential storage providers, so that incorrect or revoked credentials can be updated or removed from provider and system UI.

Explainer¹: https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Signal-API-explainer
Specification: https://w3c.github.io/webauthn/#sctn-signal-methods
WPT Tests:
User research: N/A
Security and Privacy self-review²: https://github.com/w3c/webauthn/wiki/Security-&-privacy-self-review:-PublicKeyCredential-signal-methods
GitHub repo: https://github.com/w3c/webauthn/
Primary contacts:
- Nina Satragno (@nsatragno), Google, author
Organization/project driving the specification: Google & the WebAuthn Working Group
Multi-stakeholder support³:
- Chromium comments: we would love to ship this thank you very much <3 -- signed: chromium
- Mozilla comments: https://github.com/mozilla/standards-positions/issues/1075
- WebKit comments: https://github.com/WebKit/standards-positions/issues/400
- The signal methods address common concerns from RPs that have been voiced since the early days of WebAuthn. See https://github.com/w3c/webauthn/issues/1967 and the issues linked from there, e.g. https://github.com/w3c/webauthn/issues/1967#issuecomment-1848433321
Status/issue trackers for implementations⁴: https://chromestatus.com/feature/5101778518147072

Further details:

I have reviewed the TAG's Web Platform Design Principles
Relevant time constraints or deadlines:
The group where the work on this specification is currently being done: WebAuthn WG
Major unresolved issues with or opposition to this specification: None
This work is being funded by: Google

Discussions

Discussed Nov 1, 2024 (See Github)

Max: 2 comments - 1st one - looking at the explainer, although they have given some examples (examples section) it could be better to give examples from the real user experience perspective. 2nd comment - other stakeholders - webkit seems supportive but mozilla hasn't got back yet. Cross-browser is very important for this feature.

Dan: they're talking about credentials but not the user experience of using passkeys. The objective is very low level, user experience they're trying to service is unclear. We should ask for user needs.

Hi @nsatragno - thanks for sending this our way. It would help us to review better if the explainer were more clear about the user need you're trying to service. You've described the problem statement and objective in low level terms but it's not clear the UX issue you're trying to tackle here. If you can describe start with user need, that would be helpful. It's good to see support from Webkit.

max to post

Discussed Nov 1, 2024 (See Github)

Max: there is an answer from Jeffrey... But no response from the requestor yet so we should wait.

Dan: OK I will bump.

Comment by @maxpassion Nov 13, 2024 (See Github)

Hi @nsatragno - thanks for sending this our way. It would help us to review better if the explainer were more clear about the user need you're trying to service. You've described the problem statement and objective in low level terms but it's not clear the UX issue you're trying to tackle here. If you can describe start with user need, that would be helpful. It's good to see support from Webkit.

Comment by @jyasskin Nov 13, 2024 (See Github)

@maxpassion The explainer includes

If a relying party stops accepting a credential, e.g. as a result of revoking it from an account or by completely deleting an account, the credential is still presented by clients during discoverable flows.

Even if relying parties allow a user to change their username or display name on the account, such changes are not reflected in the display of credentials during discoverable flows.

Those seem like the high-level UX issues that this feature is designed to tackle?