Re: Any agenda items for a 1 September WebAuthn/WPWG joint task force? from Jeff Hodges on 2020-08-31 (public-webauthn-pay@w3.org from August 2020)

From: Jeff Hodges <jdhodges@google.com>
Date: Mon, 31 Aug 2020 09:00:41 -0700
To: Ian Jacobs <ij@w3.org>
Cc: Danyao Wang <danyao@google.com>, Benjamin Tidor <btidor@stripe.com>, Adrian Hope-Bailie <adrian@coil.com>, Nick Telford-Reed <nicktr@w3.org>, John Bradley <jbradley@yubico.com>, John Fontana <jfontana@yubico.com>, nadalin@prodigy.net, James.Evans-Rong@firstdata.com, Ken Buchanan <kenrb@google.com>, Erhard Brand <erhard@entersekt.com>, Gerhard Oosthuizen <goosthuizen@entersekt.com>, "Blachowicz, Tomasz" <Tomasz.Blachowicz@mastercard.com>, "Tare, Sameer" <Sameer.Tare@mastercard.com>, public-webauthn-pay@w3.org
Message-ID: <CAOt3QXtORYLccXpSG3x+qqe+hCa90ZV5R11S8uKES8k2kGSbaw@mail.gmail.com>

On Mon, Aug 31, 2020 at 6:36 AM Ian Jacobs <ij@w3.org> wrote:

> Hi all,
>
> Please let me know whether you have any points you’d like to discuss at
> the 1 September joint task force call.
>
> I have heard in two recent conversations interest in returning to the
> topic of silent risk assessment (à la
> 3DS2 frictionless flow) in light of browser evolution around cookies and
> fingerprinting. Could browsers provide
> risk engines with useful information that protects user privacy?
>
> Could we put this on our joint task force agenda? Is there any analogous
> discussion happening in the WebAuthn WG?
>

 In both WebAuthn L1 <https://www.w3.org/TR/webauthn-1/> & L2
<https://w3c.github.io/webauthn/>, we note in a few places data that a
relying party deployer might extract and feed into their risk
calculations.  E.g., search the latter specs for:

risk tolerance
risk scoring
risk engines

Though, we have not AFAIK had discussions focussing on the topic of
"provid[ing] risk engines with useful information that protects user
privacy".

FWIW, the WebAuthn spec does have a fairly extensive Privacy Considerations
section <https://w3c.github.io/webauthn/#sctn-privacy-considerations>.

=JeffH

Received on Monday, 31 August 2020 16:01:30 UTC