are user handles in the wild including user data?

[npdoty]

Do we have deployment experience yet with user handles to evaluate whether RPs are complying with the in-spec advice? I would expect advice to relying parties to definitely not put user email addresses into these would be ignored, but that's just my speculation.

If they should be an opaque random number, maybe the client should generate it and return it to the RP?

If actually they're just going to be user-specific usernames, it might be time to update expectations and instead consider any impacts on privacy as a result.

If experience is showing in the wild that they aren't user-specific and sites are consistent in making them intelligence-free identifiers, great!

[timcappalli]

Just another reminder that this is not a new capability and has existed in WebAuthn since L1 and is a critical part of the authenticator and credential data model.

Do we have deployment experience yet with user handles to evaluate whether RPs are complying with the in-spec advice?

There are hundreds of millions (if not billions) of passkeys in the wild. IMO, it is not the WG's responsibility to police websites implementations of a feature. It is, however, in scope for server certification programs.

If actually they're just going to be user-specific usernames, it might be time to update expectations and instead consider any impacts on privacy as a result.

A user handle is not a username.

If they should be an opaque random number, maybe the client should generate it and return it to the RP?

This is not possible, as it is needs to be an RP-managed identifier.

[timcappalli]

@npdoty did the previous response sufficiently answer your questions about user handle?