Currently we don't limit webauthn/passkey names in any way. Not a big issue since only the user can see it - but it could possibly cause an issue if an admin views the records. There is no reason to allow arbitrary input - should follow the lead of username and use nh3 to strip tags and then compare with unicode characters.
Currently we don't limit webauthn/passkey names in any way. Not a big issue since only the user can see it - but it could possibly cause an issue if an admin views the records. There is no reason to allow arbitrary input - should follow the lead of username and use nh3 to strip tags and then compare with unicode characters.