Re: [webauthn] credentials.get() should have optional parameters for userVerification and userPresence

The authenticator signs over the user presence and user verification flags, so it won't be possible to assert later that a silent signature was made with user consent. But the RP does need to take care to actually verify those flags (or store the signature), so that should probably be added to [ยง6.2. Verifying an authentication assertion][verify].

What would be the use case for silent signatures? I suppose they can't do much harm assuming the RP is trusted, but could XSS/XSRF attacks make it an issue?


GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 11 October 2017 21:02:24 UTC