Thoughts on UX

[coolaj86]

Forgot Passkey

• instead of "Forgot Password?" have "Can't Access Passkey?"

Replace Passkey

• this will make any encrypted storage permanently inaccessible

Adding a Passkey

• send magic email or text message to allow it
• use password to allow it? maybe not?
• allow creating password if the device doesn't support WebAuthn at all

Boolean IDs

IDs are a huge pain in the butt:

• the os keychain may or may not be synced between devices
• the current device may or may not have synced with the os keychain
• the current browser on that device may or may not access the system keychain
• the current browser may or may not be synced with its own key storage
• if you've saved IDs to the server, you can't use them as entropy for local encryption
• you can't retrieve IDs from the server without the user ALREADY being logged in
  (otherwise anyone can just grab bunches of IDs for your users, or you have waaay more logic to handle in regards to fingerprinting the user's devices and browsers, etc to ensure that you don't pass them out willy-nilly)
• the IDs are only useful to prevent creation of the same ID, which you get by logging in - otherwise, if you had them, you would already know

THEREFORE, it seems like each device should just have some sort of localStorage that simply indicates a tiny piece of information about each key - such as if the "attestation" issuer is a security key or os keycahin, etc.