- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 02 Jul 2019 08:25:15 +0000
- To: public-webauthn@w3.org
Sorry, returning a specific error for this case is unfortunately not an option, because that would enable malicious RPs to use WebAuthn credentials to identify users without consent. See [ยง13.6. Authentication Ceremony Privacy](https://w3c.github.io/webauthn/#sctn-assertion-privacy). The UI popup is necessary so that the RP cannot use timing information to determine if the browser canceled the ceremony because no credential is available, or if the user canceled the popup asking whether to proceed. The alternative would be to always wait for the timeout before returning a `NotAllowedError`, which would be even worse UX. This feature request is incompatible with the [de-anonymization prevention measures](https://w3c.github.io/webauthn/#sctn-non-correlatable-credentials) in WebAuthn; I propose closing the issue. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1251#issuecomment-507574914 using your GitHub account
Received on Tuesday, 2 July 2019 08:25:17 UTC