Re: [webauthn] Privacy Considerations should describe risks of storing userID/displayName in "second-factor" authenticators from John Bradley via GitHub on 2017-09-21 (public-webauthn@w3.org from September 2017)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Thu, 21 Sep 2017 15:41:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-331196631-1506008498-sysbot+gh@w3.org>

I recall Google did the encryption trick with their pairwise identifiers for openID 2, so it can work.

For privacy I agree that credentials without some sort of local pin (or other authenticated unlock) should not provide a display name.

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/578#issuecomment-331196631 using your GitHub account

Received on Thursday, 21 September 2017 15:41:51 UTC