- From: xialvjun via GitHub <sysbot+gh@w3.org>
- Date: Tue, 27 Feb 2018 17:08:23 +0000
- To: public-webauthn@w3.org
> by a phishing attack User needn't to tell websites their uuid. User just need to tell the browser their uuid when the browser is opened first time. And in fact, people may not remember their uuid, they just store it in a usb device. So, when the browser is opened at the first time, user need import a uuid into browser. Then, when the user visit website, he/she just click `confirm` button. Browser doesn't expose the `user.uuid` to the JS runtime, it just expose function `generate_identity = () => md5(user.uuid + location.host)`.... So it has nothing to do with phishing attack. > They don't need to sync anything to use Web Authentication credentials either. I think sync is a big demand. I have imported the same uuid to two different browser: one PC browser and one mobile browser. Then when I visit a website at the first time on PC, and use `const identity = generate_identity()` the identity registered an account, and did many things using the account. Then when I visit the website on mobile browser, I got the same account and those things I did on PC is naturally showed on mobile browser. > It will be very easy for the user with Web Authentication as well Yeah, our two solutions are both easy to register. In fact, the main difference between the two solution is: **who is the authenticator**. Your authenticator is a software, a usb device. My authenticator is Math. -- GitHub Notification of comment by xialvjun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/820#issuecomment-368952128 using your GitHub account
Received on Tuesday, 27 February 2018 17:08:26 UTC