- From: Johan Verrept via GitHub <sysbot+gh@w3.org>
- Date: Thu, 12 Oct 2017 11:33:14 +0000
- To: public-webauthn@w3.org
As far as I can tell, it is only there to make Google's life easier. It does not make it harder in a first factor situation because knowing the user name is not necessary for an attacker with the authenticator to use it as a first factor credential. He can just log in with each offered credential and figure out the user name that way. It could conceivably be an additional privacy protection against eavesdropping on the authenticator traffic because the username is not passed along although I have been repeatedly told eavesdroppers are considered out of scope. It sounds thin to me. Using the user.id as only valid unique identifier makes it too easy to spoof the user.name field and mislead the user about which credential he is logging in with (although to what end?). I would turn user.id in a field that the client and authenticator MUST return in first factor situation but the RP MAY include and require the use of user.name as a unique identifier in all cases. Is user verification required for first factor situations? or just user presence? -- GitHub Notification of comment by jovasco Please view or discuss this issue at https://github.com/w3c/webauthn/issues/622#issuecomment-336100680 using your GitHub account
Received on Thursday, 12 October 2017 11:33:16 UTC