Re: [webauthn] credentials.get() should have optional parameters for userVerification and userPresence from Ibrahim Damlaj via GitHub on 2017-10-13 (public-webauthn@w3.org from October 2017)

From: Ibrahim Damlaj via GitHub <sysbot+gh@w3.org>
Date: Fri, 13 Oct 2017 10:09:53 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-336410724-1507889377-sysbot+gh@w3.org>

Enabling silent authentication might be problematic from a privacy standpoint.

Ad trackers will be able to silently create and use "super cookies" that track the machine across apps, and can't be easily deleted by the user.

As for making user verificatIon optional, can you provide a use case for this? The user agent can already do this at the CTAP level which enables some use cases relevant to the web (e.g. "I forgot my CTAP device PIN" button when the user agent asks for PIN entry)

-- 
GitHub Notification of comment by idamlaj
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/629#issuecomment-336410724 using your GitHub account

Received on Friday, 13 October 2017 10:09:40 UTC