-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should we keep the word “passkey” in the spec or not #1939
Comments
You answered the question. FIDO's public definition aligns with the definition in the WebAuthn L3 Editor's Draft. I see no justification for its removal (so option 1). |
I believe @nicksteele's positively-received response towards the end of #1901 is the best rationale for keeping the definition of "passkey" in the spec:
I strongly believe that developers who want to investigate the technical definition of what a "passkey" is won't go digging into the FIDO Alliance side of docs. Rather they'll come here directly to the WebAuthn spec or intuit things based on what they read on developer-centric sites like MDN or https://passkeys.dev who distill our work into actionable developer-centric insights. The cat's out of the bag, and not offering an authoritative definition of what "passkey" is in the context of WebAuthn will ultimately harm WebAuthn adoption. The FIDO Alliance does important work, no doubt, but when it comes to websites it's the W3C and its specs that have outweighed impact on those who are the ultimate consumers of the WAWG and its outputs. Therefore I think it is our prerogative to include a definition for passkeys, and so I support Option 1. |
And to reiterate, adding the "passkey" alias to "discoverable credentials" allows us to offer nicer developer experiences in APIs like |
We should discuss this with and as FIDO Alliance before it is resolved here, since both organizations have strong interests as the definition has a huge impact on marketing "passkeys". |
If it's a technical term, define it in technical document. What kind of term "passkey" is? |
It has been discussed in/with FIDO, ad nauseam, and as stated earlier, matches FIDO's public documentation. |
It is a noun, like password, which is used throughout related specs. |
OK, then there shouldn't be any official definitions. |
The reference in the WebAuthn specification is for use by methods and text defined in WebAuthn. No one who worked on these WebAuthn changes has ever claimed otherwise. Closing issue. |
I do not think this is complete and you should not close it. |
Forgot there was a WG meeting today! Will leave open for that call. |
I am a maintainer of a fairly popular RP library. While this is not in the browser space my perspective is from that of being an implementer. I think having the terminology relevant to the consumer in the spec intended for the implementer is actually really important. It's especially really important to have it in there and explain the relationship between the consumer explainer technology and the technical technology. My rational is that while finding this information is possible it's fairly difficult to do accurately. Having this in the spec makes it crystal clear when someone asks for "passkey support" (which I believe is going to be inevitable for many implementers) what that actually means in relation to the specific elements they have spent time to understand. |
This was discussed on the August 9th WebAuthn Working Group call, the meeting minutes can be found here. The consensus of the working group on the call was that this issue should be closed with @timcappalli and @MasterKale merging #1936 into #1923 which will reference the term passkey. |
Background
The word “passkey” was added in PR #1901. In this PR, a passkey is defined as a synonym of a discoverable credential.
The reason behind this addition was to “add a specific definition in the context of the specification, that can be referenced throughout the specification whenever the term is use” as per #1901 (comment)
and to attempt “to codify the meaning of a passkey in the context of WebAuthn” as per #1901 (comment)
Issue
However, there were discussions around the definition of passkeys, some of them were:
#1901 (comment)
and as I pointed out in #1901 (comment),
Even within FIDO Alliance, some passkey definitions are inconsistently described:
Possible options suggested:
The text was updated successfully, but these errors were encountered: