- From: Jiewen Tan via GitHub <sysbot+gh@w3.org>
- Date: Wed, 18 Sep 2019 22:13:14 +0000
- To: public-webauthn@w3.org
@equalsJeffH @akshayku We understand that it is a breaking change. However, we believe this will benefit the whole community in long term assuming phones become major clients and authenticators in the future. As a client, phones usually have much smaller screen asset, in which the user agent UI could take up a very large portion of the screen, even in some implementations the whole screen. This makes an unsolicited dialog even more disruptive. As an authenticator, assuming phones can be used as a wireless authenticator, unsolicited notifications received from other hosts are effectively spam. We think neither of the above case is acceptable user experience, and therefore strongly demand some user gesture requirement to guard the UI if not the whole API. In fact, it is not just about UI. If user agents starts NFC scanning and BLE advertisement at the meantime when the API is called, it leads to a bigger problem that might leak user information. We know some implementations have guarded NFC scanning and BLE advertisement in their own UI by explicitly asking users what transport they want. This cumbersome design can be avoided if user gesture is required at the very beginning of the API calls. On the WebKit side, we may consider guarding our API with user gestures but whitelist RPs that would be broken. -- GitHub Notification of comment by alanwaketan Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1293#issuecomment-532887434 using your GitHub account
Received on Wednesday, 18 September 2019 22:13:16 UTC