- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Mon, 22 Aug 2016 20:08:59 +0000
- To: public-webauthn@w3.org
Note also that the abstract at this time (commit master-2b72ddf) states.. > Authenticators are responsible for ensuring that no operation is performed without user consent. ..and searching for "consent" reveals several other similar statements. Thus at this time, the webauthn spec **does not support the "silent authenticator" notion.** the definition of a silent authenticator is "an authnr that does not prompt the user or perform any user verification". See also.. https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-glossary-v1.0-ps-20141208.html https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-asm-api-v1.0-ps-20141208.html#security-and-privacy-guidelines The latter features this text.. > ASMs SHOULD ensure that applications cannot use silent authenticators for tracking purposes. ASMs implementing support for a silent authenticator MUST show, during every registration, a user interface which explains what a silent authenticator is, asking for the users consent for the registration. Also, it is RECOMMENDED that ASMs designed to support roaming silent authenticators either >o Run with a special permission/privilege on the system, or >o Have a built-in binding with the authenticator which ensures that other applications cannot directly communicate with the authenticator by bypassing this ASM. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/22#issuecomment-241533806 using your GitHub account
Received on Monday, 22 August 2016 20:09:06 UTC