You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+10-4Lines changed: 10 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,13 +9,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
9
9
10
10
### Added
11
11
12
-
-**New feature (experimental):** the browser will now be signaled to remove an unknown credential after a failed authentication attempt. This is controlled by the new `OTP_WEBAUTHN_SIGNAL_UNKNOWN_CREDENTIAL` setting, which defaults to `True`. If set to `False`, the browser will not be signaled.
13
-
- The purpose of this is to improve user experience by removing credentials that are no longer valid from the users' device, stopping the user from being prompted to use this credential in the future.
14
-
- The exact response of browsers to the signal varies, most browsers tested appear to ignore this signal and thus this feature has no effect.
15
-
- This uses a draft feature defined the WebAuthn L3 specification: https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#sctn-signal-methods.
12
+
-**New feature (experimental):** the browser will now be signaled to remove an unknown Passkey after a failed authentication attempt.
13
+
- The purpose of this is to improve user experience by removing Passkeys that are no longer valid from the users' device, stopping the user from being prompted to use this Passkey in the future.
14
+
- This is controlled by the new `OTP_WEBAUTHN_SIGNAL_UNKNOWN_CREDENTIAL` setting, which defaults to `True`. If set to `False`, the browser will not be signaled.
16
15
- It works on recent versions of Chrome, Edge and Safari but not Firefox (as of October 2025).
17
16
- Read more about the browser API used: [`PublicKeyCredential.signalUnknownCredential` on MDN](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/signalUnknownCredential_static).
18
17
- This feature is experimental because not all browsers support it properly yet. The specification is also still in draft status and may change in the future.
18
+
-**New feature (experimental)**: the `render_otp_webauthn_sync_signals_scripts` template tag has been added to allow updating user details stored in the browser when they change on the server side.
19
+
- The purpose of this is to improve user experience by keeping the user details (like display name) in sync between server and client, so that the browser can show the correct information when prompting the user to select a Passkey.
20
+
- It works on recent versions of Chrome, Edge and Safari but not Firefox (as of October 2025).
21
+
- This feature is experimental because not all browsers support it properly yet. The specification is also still in draft status and may change in the future.
22
+
- Read more about the browser APIs used:
23
+
-[`PublicKeyCredential.signalCurrentUserDetails` on MDN](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/signalCurrentUserDetails_static)
24
+
-[`PublicKeyCredential.signalAllAcceptedCredentials` on MDN](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/signalAllAcceptedCredentials_static)
0 commit comments