- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Mon, 30 Oct 2017 23:15:58 +0000
- To: public-webauthn@w3.org
@jyasskin wrote: > [`credentials.preventSilentAccess()`](https://w3c.github.io/webappsec-credential-management/#abstract-opdef-prevent-silent-access) sets the origin-wide "prevent silent access flag" to true. That flag defaults to true, but the browser can set it to false if the user says to do so while signing in. however, note that credman does not at this time explicitly specify a means to _**set**_ the `prevent silent access flag` to `false` (aka `unset`). It only says in [Requiring User Mediation](https://w3c.github.io/webappsec-credential-management/#user-mediation-requirement) that a user agent _could_ provide means to do so, eg as part of a [credential chooser](https://w3c.github.io/webappsec-credential-management/#credential-chooser). > The user has done something—probably tap the "sign out" button—which indicates they want to be asked before the browser automatically uses their password to sign them in. Do they also want to be asked before the browser automatically uses their touchless authenticator to sign them in? I tend to think "yes". > If we think they probably do, then we're in a good place, with at most editorial changes needed to explain this in the spec. agreed. this seems congruent with @jcjones's suggestion (https://github.com/w3c/webauthn/issues/565#issuecomment-339416894) of saying something about this in the present spec level. Seems to me we can do now for wd-07 or add this to the CR pile. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/565#issuecomment-340613074 using your GitHub account
Received on Monday, 30 October 2017 23:16:01 UTC