W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2019

Re: [webauthn] navigator.credentials.get() option to suppress chrome UI popup if allowCredentials is not present in the authenticator (#1251)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Jul 2019 08:25:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-507574914-1562055914-sysbot+gh@w3.org>
Sorry, returning a specific error for this case is unfortunately not an option, because that would enable malicious RPs to use WebAuthn credentials to identify users without consent. See [ยง13.6. Authentication Ceremony Privacy](https://w3c.github.io/webauthn/#sctn-assertion-privacy). The UI popup is necessary so that the RP cannot use timing information to determine if the browser canceled the ceremony because no credential is available, or if the user canceled the popup asking whether to proceed. The alternative would be to always wait for the timeout before returning a `NotAllowedError`, which would be even worse UX.

This feature request is incompatible with the [de-anonymization prevention measures](https://w3c.github.io/webauthn/#sctn-non-correlatable-credentials) in WebAuthn; I propose closing the issue.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1251#issuecomment-507574914 using your GitHub account
Received on Tuesday, 2 July 2019 08:25:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC