W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2016

Re: [webauthn] Silent Authn? clarification of bit 0 in AuthenticatorData

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 22 Aug 2016 20:08:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-241533806-1471896538-sysbot+gh@w3.org>
Note also that the abstract at this time (commit master-2b72ddf) 
> Authenticators are responsible for ensuring that no operation is 
performed without user consent.

..and searching for "consent" reveals several other similar 
statements.  Thus at this time, the webauthn spec **does not support 
the "silent authenticator" notion.** 

the definition of a silent authenticator is "an authnr that does not 
prompt the user or perform any user verification".

See also..


The latter features this text..
> ASMs SHOULD ensure that applications cannot use silent 
authenticators for tracking purposes. ASMs implementing support for a 
silent authenticator MUST show, during every registration, a user 
interface which explains what a silent authenticator is, asking for 
the users consent for the registration. Also, it is RECOMMENDED that 
ASMs designed to support roaming silent authenticators either

>o    Run with a special permission/privilege on the system, or
>o    Have a built-in binding with the authenticator which ensures 
that other applications cannot directly communicate with the 
authenticator by bypassing this ASM.

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/22#issuecomment-241533806 using
 your GitHub account
Received on Monday, 22 August 2016 20:09:06 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:22 UTC