Re: [webauthn] Consider dropping requirement for TUP on create()

I'm not so sure there are no privacy considerations. Basically, you are allowing any RP to uniquely identify any system with such an authenticator.

All that is needed is a makeCredential call with a requirement for an attached authenticator without UP requirement and an exclude list. If no new credential is created, this particular credential identifies this system.  The only practical limit is the time you have to test credentials.

As for practical applications, it would be trivial to use this to validate possible correlations between users.


-- 
GitHub Notification of comment by jovasco
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/564#issuecomment-334087718 using your GitHub account

Received on Wednesday, 4 October 2017 08:39:22 UTC