This mirrors issue 914 on FIDO (CTAP).
At the moment, there is no straightforward way to update a user's personal information (name and displayName) associated to a credential. If a user wants to do it, they have to:
This situation is pretty bad. Users and relying parties might not even be aware of this issue, and it is easy to imagine an account picker with an old name appearing during log-in long after the user has updated their identity to the website.
--
To make this situation better, I propose the following check-list of changes:
authenticatorUpdateCredential operation on the authenticator model that allows updating displayName, name, and any other mutable metadata associated to the user the credential belongs to.otherUI into the credential ID. otherUI might include mutable information such as the user's name. Credential IDs are meant to be immutable and I also see no reason for packing that information anyway since it doesn't seem to be surfaced later.credentials.get extension that specifies the new values for displayName / name for each credential on the allow-list. This would be fairly straightforward to implement but unfortunately wouldn't work for empty allow-lists. Perhaps if the RP uses empty allow-lists, then they could have their users go through a webauthn flow as part of the personal information update.See also issue #1200
I never really understood why Webauthn mandates we process the name of a user. Is it actually used by any browsers to even be displayed at the moment?
It us used for discoverable/resident credentials in Windows 10 / Chrome / Safari.
They are displayed as part of the credential pick list when no allow list is sent.
Most helpful comment
It us used for discoverable/resident credentials in Windows 10 / Chrome / Safari.
They are displayed as part of the credential pick list when no allow list is sent.