Re: [webauthn] way to return a platform specific Name for the thing that gets registered. (#1304)

I see two problems with this:
1) By providing such information to RPs, the standard runs the risk of enabling the violation of privacy protections mandated by law in some parts of the world (all parts, if rationality prevailed). California's Consumer Privacy Act (CCPA) recognizes IP addresses and similar metadata as Personally Identifiable Information (PII). Yes, RPs have to conform to the law - not Standards organizations. But, if a protocol/standard leaks information that violates evolving/progressive privacy regulations, there is a good chance that influential non-technologists (lawyers) will kill the use of the technology to protect the company from liability;

2) By shielding customers from understanding some of the UX semantics of FIDO-based authentication, we are perpetuating the problem: that of treating users as being incapable of using something a little different because of our own preconceived notions.

I would strongly encourage the FIDO Alliance and W3C to work on creating educational material to "lift users up" by giving them the knowledge they need to they know what to do with their brand/type of Authenticator when prompted to use their FIDO Authenticator, rather than to "dumb them down" further. In the long-term, educating users will be a win-win situation for everybody concerned. 

(In case you're wondering what is the harm in shielding them from information they ought not to/might not care about, you only have to read the current headlines in newspapers to see the consequences of that strategy).

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1304#issuecomment-588490714 using your GitHub account

Received on Wednesday, 19 February 2020 21:53:25 UTC