What is the `label` for?

[asavageiv]

The docs say label:string (required, cannot be blank you'll want to scope it to the Devise-enabled model). Why is this required and what does it mean to be "scoped to the Devise-enabled model"? What is its purpose? I don't generally see "label" inputs on other Passkey enabled websites nor do I want one on mine, so what should its value be?

[shaneshort]

Reading betwen the lines I think this appears to be mentioned here: https://github.com/heartcombo/devise/issues/5527#issuecomment-1407233859, specifically:

A concrete example I've run into is labelling passkeys for different subdomained apps: a solution there is to store the key as a resident key (for a pure passwordless experience), and clearly label the key through the username (eg: App A: email@test.com). This is more a UI problem the browser/OS implementations for keychain access. That's outside of the scope of what app developers have to deal with, since it's part of the larger OS (which we don't have control over).

[tcannonfodder]

Sorry for the delay in replying! The label is required because it's best to make sure the user knows which key they're looking at when reviewing their passkeys after logging in. For example, a user could have the following passkeys, each of which should be labeled appropriately:

• Their 1Password/iCloud Keychain account's passkey
• A backup security key
• A gaming PC or such that doesn't have access to their 1Password/iCloud Keychain, but they want quick access, so they have used Windows Hello to generate a new passkey

As an application, you could pre-fill these values (as certain implementations do), but each passkey should be labeled in some capacity to avoid confusion.

[evolve2k]

Oh yeah I've had this issue with MFA. An individual MFA doesnt need it but when I started to load multiple MFA TOTP codes into an app, I for sure wanted to know which one is which and much prefer not having to type that in myself.

[evolve2k]

Probably resolved from @tcannonfodder's explaination. Suggest can now be closed.

[asavageiv]

From that understanding it is not required. It's optional, but very useful. So we should probably update the docs. I'll take a quick pass at a PR.