- From: Arshad Noor <arshad.noor@strongauth.com>
- Date: Tue, 5 Jul 2016 17:54:30 -0700
- To: "public-webauthn@w3.org" <public-webauthn@w3.org>
No, its not. This is necessary not only for key-registration (where attestation comes into the picture) but for every authentication. Users are going to be prompted for the biometric gesture each time a biometric Webauthn Authenticator is activated for use: registration, authentication and transaction confirmation. If they do not see a standard signal when Webauthn is in use, not only do they NOT know if there is a privacy-leak, but they also become vulnerable to phishing attacks (since the platform is not giving off any signals to the contrary). Arshad Noor StrongAuth, Inc. On 07/05/2016 04:18 PM, Anthony Nadalin wrote: > Isn't this already implied by the attestations that may be part of the registration (which is out of scope of the W3C WebAuthn WG). > > -----Original Message----- > From: Arshad Noor [mailto:arshad.noor@strongauth.com] > Sent: Sunday, July 3, 2016 6:41 PM > To: public-webauthn@w3.org > Subject: Signal to end-user when using webauthn > > I'm not sure if this is part of this WG's purview, but as the WG focuses on standardizing Webauthn, I would like to suggest adding one more element to its scope: a signal to the end-user when the platform is using the Webauthn standard to strongly-authenticate the user. > > An informal case for this is documented in this brief blog entry: > *Not all biometric authentication is equal* - https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2falesa.website&data=01%7c01%7ctonynad%40microsoft.com%7cc713a71937b848c356c608d3a3ac794a%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=7WkozRldsTeHy6HRLVcQ27tpPOI0VryBKbrWtCTuXWM%3d. > > Thank you. > > Arshad Noor > StrongAuth, Inc. >
Received on Wednesday, 6 July 2016 00:55:08 UTC