- From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
- Date: Wed, 20 Sep 2017 17:39:17 +0000
- To: public-webauthn@w3.org
@christiaanbrand Anyone with physical access to the authenticator can pretend to be any RP, and if they can also convince the authenticator that they're the user (trivial for second-factor authenticators), they can get the user ID for that RP out. I'm not *certain* that's a leak we should worry about, but we should decide whether to worry about it, and we should probably mention it in the privacy considerations section anyway. -- GitHub Notification of comment by jyasskin Please view or discuss this issue at https://github.com/w3c/webauthn/pull/558#issuecomment-330926138 using your GitHub account
Received on Wednesday, 20 September 2017 17:39:09 UTC