digital-credentials icon indicating copy to clipboard operation
digital-credentials copied to clipboard

Published 20 hours ago verified publisher icon WICG

[Discuss] Relationship between identity credentials, passkeys, and federation

Open timcappalli opened this issue 2 years ago • 1 comments

Surfaced as a core discussion topic on the first call (2023-10-04).

Sub topics:

  • should identity credentials, passkeys, and federation be surfaced to users in the same UI?
  • sign in vs claims transfer

timcappalli avatar Oct 05 '23 15:10 timcappalli

I think people enjoy the feeling of safety, knowing their fingerprint is required to present a credential, because similar to imagining someone forging an ink signature, it feels safer to the user to know that their consent and fingerprint is required, as opposed to a threat actor stealing a password, or forging their ink signature.

In the mind of the user, the action is using their fingerprint to authorize something... they want to feel safe authorizing things, the UI need to convey safety, and control for both... Payment experience is the same... if my phone doesn't ask for my fingerprint to confirm a payment, I fear that anyone with my phone may spend my money... if my phone doesn't ask for my fingerprint when signing in, I feel that anyone can impersonate me.

OR13 avatar Oct 05 '23 15:10 OR13

This has been discussed across many venues including calls, IIW, TPAC, Fed ID WG, and WebAuthn WG. The direct interaction between these experiences is driven by the user agent and/or app platforms.

Mixed usage at the CredMan level can be supported in the future: https://github.com/w3c/webappsec-credential-management/issues/244#issuecomment-2327703428

timcappalli avatar Sep 17 '24 14:09 timcappalli