[webauthn] 14.6.3. Privacy leak via credential IDs (#1311) from Max Hata via GitHub on 2019-10-07 (public-webauthn@w3.org from October 2019)

From: Max Hata via GitHub <sysbot+gh@w3.org>
Date: Mon, 07 Oct 2019 07:03:58 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-503268394-1570431837-sysbot+gh@w3.org>

maxhata has just created a new issue for https://github.com/w3c/webauthn:

== 14.6.3. Privacy leak via credential IDs ==
> This privacy consideration applies to Relying Parties supporting single-factor authentication with non-resident credentials.

This should apply not only to non-resident credentials but also resident credentials if credentialIds are sent. Sending credentialIds in an allowCredentials is a legitimate flow for authentication. Thus, I suggest to change "with non-resident credentials" to something like "when sending an allowCredentials with credentialIds." 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1311 using your GitHub account

Received on Monday, 7 October 2019 07:03:58 UTC