Re: [webauthn] credentials.get() should have optional parameters for userVerification and userPresence from Emil Lundberg via GitHub on 2017-10-11 (public-webauthn@w3.org from October 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Oct 2017 21:02:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335947404-1507755741-sysbot+gh@w3.org>

The authenticator signs over the user presence and user verification flags, so it won't be possible to assert later that a silent signature was made with user consent. But the RP does need to take care to actually verify those flags (or store the signature), so that should probably be added to [§6.2. Verifying an authentication assertion][verify].

What would be the use case for silent signatures? I suppose they can't do much harm assuming the RP is trusted, but could XSS/XSRF attacks make it an issue?

[verify]: https://w3c.github.io/webauthn/#verifying-assertion

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/629#issuecomment-335947404 using your GitHub account

Received on Wednesday, 11 October 2017 21:02:24 UTC