@samuelgoto we are just picking this up at our [Tokyo f2f](https://github.com/w3ctag/meetings/blob/gh-pages/2019/09-tokyo/README.md). We're unclear as to the current thinking regarding permissions? If you are not considering an additional permission request, can you describe what the mitigation is against potential abuse? The security & privacy self check seems to be missing. If you have not yet filled this out, can you please take a look at the [new privacy & security self-check](https://www.w3.org/TR/security-privacy-questionnaire/) we just published? If the intended use of this is as a general replacement for log in, we are a bit concerned that this means service providers will always have the phone number (and therefore be able to correlate user's identity with their telecom provider)? This could be concerning from a privacy perspective. It's not that this is a new thing. It's been possible using existing technologies to ask for a user's phone number and then ask them to enter a code that is sent to them by SMS. The issue is that use of this API would make it so much easier to do this that you might risk this becoming the *only* means of authentication. Is that issue being discussed at all and if so do you have any thoughts on mitigation? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/391#issuecomment-530233811
Received on Wednesday, 11 September 2019 06:04:26 UTC