- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Tue, 07 Apr 2020 05:34:19 +0000
- To: public-webauthn@w3.org
Three reasons which quickly spring to mind: 1. The statistical probability of a credential id repeating should be high enough that it is more likely something went wrong or that this is an attempt at an attack 2. Predictable credential IDs could be used to track a user across services, say a credential ID which is a combination of a device serial number and a monotonically-increasing counter. 3. The credential id is returned on getAssertion, and could be used as a global identifier on a particular website. -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1403#issuecomment-610183724 using your GitHub account
Received on Tuesday, 7 April 2020 05:34:22 UTC