Re: [webauthn] credentials.get() should have optional parameters for userVerification and userPresence

Enabling silent authentication might be problematic from a privacy standpoint.

Ad trackers will be able to silently create and use "super cookies" that track the machine across apps, and can't be easily deleted by the user.

As for making user verificatIon optional, can you provide a use case for this? The user agent can already do this at the CTAP level which enables some use cases relevant to the web (e.g. "I forgot my CTAP device PIN" button when the user agent asks for PIN entry)

-- 
GitHub Notification of comment by idamlaj
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/629#issuecomment-336410724 using your GitHub account

Received on Friday, 13 October 2017 10:09:40 UTC