W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] credentials.get() should have optional parameters for userVerification and userPresence

From: Ibrahim Damlaj via GitHub <sysbot+gh@w3.org>
Date: Fri, 13 Oct 2017 10:09:53 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-336410724-1507889377-sysbot+gh@w3.org>
Enabling silent authentication might be problematic from a privacy standpoint.

Ad trackers will be able to silently create and use "super cookies" that track the machine across apps, and can't be easily deleted by the user.

As for making user verificatIon optional, can you provide a use case for this? The user agent can already do this at the CTAP level which enables some use cases relevant to the web (e.g. "I forgot my CTAP device PIN" button when the user agent asks for PIN entry)

-- 
GitHub Notification of comment by idamlaj
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/629#issuecomment-336410724 using your GitHub account
Received on Friday, 13 October 2017 10:09:40 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC