Re: [webauthn] RPs cannot show "You've Already Registered This Authenticator" Message

> providing this information would allow malicious RPs to reliably identify (i.e., track) the user without consent.
No.  The CTAP2 spec explicitly says that user consent must be gathered before it replies with `CTAP2_ERR_CREDENTIAL_EXCLUDED`

-- 
GitHub Notification of comment by leshi
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/806#issuecomment-366350412 using your GitHub account

Received on Friday, 16 February 2018 20:32:58 UTC