W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Consider dropping requirement for TUP on create()

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Sep 2017 23:11:50 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-330699459-1505862698-sysbot+gh@w3.org>
Adding a FIDO experience for TouchID, Fingerprints on Android is a new scenario and once in a life time event. Arguably IMO, experience is not bad and is consistent with whole FIDO security promise and user experience. 

Regarding resident keys, on both platform as well as cross platform authenticators, should absolutely require a touch so that not any malware can fill up the authenticator storage. It is a problem for both type external as well as internal authenticators. 

Current design is clean and similar to U2F experience and we should not over-optimize the experience here as well as protect against malwares just messing up the authenticators silently. 

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/564#issuecomment-330699459 using your GitHub account
Received on Tuesday, 19 September 2017 23:11:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC