[Discuss] Relationship between identity credentials, passkeys, and federation

[timcappalli]

Surfaced as a core discussion topic on the first call (2023-10-04).

Sub topics:

• should identity credentials, passkeys, and federation be surfaced to users in the same UI?
• sign in vs claims transfer

[OR13]

I think people enjoy the feeling of safety, knowing their fingerprint is required to present a credential, because similar to imagining someone forging an ink signature, it feels safer to the user to know that their consent and fingerprint is required, as opposed to a threat actor stealing a password, or forging their ink signature.

In the mind of the user, the action is using their fingerprint to authorize something... they want to feel safe authorizing things, the UI need to convey safety, and control for both... Payment experience is the same... if my phone doesn't ask for my fingerprint to confirm a payment, I fear that anyone with my phone may spend my money... if my phone doesn't ask for my fingerprint when signing in, I feel that anyone can impersonate me.

[timcappalli]

This has been discussed across many venues including calls, IIW, TPAC, Fed ID WG, and WebAuthn WG. The direct interaction between these experiences is driven by the user agent and/or app platforms.

Mixed usage at the CredMan level can be supported in the future: w3c/webappsec-credential-management#244 (comment)