- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 27 Feb 2018 11:08:40 +0000
- To: public-webauthn@w3.org
The problem Web Authentication aims to solve is easy multi-factor authentication (MFA), not global identities. I don't understand what problems your solution would solve. Do you mean that knowledge of the `generate_identity()` result would be enough to prove ownership of the `user.uuid` identity? I don't see how that would be any more secure or easy to use than a conventional session cookie, if the identity is never shared between websites anyway. >Well, things will be better if websites can change their domain. Why would it be better? How often do the websites you frequent change their domains? And how would your suggested `generate_identity()` solve that? Binding credentials to the websites they were created for is one part of what makes Web Authentication credentials practically immune to phishing and similar spoofing attacks. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/820#issuecomment-368837094 using your GitHub account
Received on Tuesday, 27 February 2018 11:09:02 UTC