- From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
- Date: Sat, 04 Jan 2020 11:51:47 +0000
- To: public-webauthn@w3.org
ChadKillingsworth has just created a new issue for https://github.com/w3c/webauthn: == Dependence on Browser state for Primary Factor login == I work in the financial industry and username enumeration is not permitted. That means to utilize webauthn for primary factor logins, the browser has to keep a state of whether or not the user has enabled it or not. This can be done via traditional storage mechanisms such as cookies, but I have found those to be fragile and frequently absent. My concern is that a good portion of the anti-phishing benefit of webauthn for primary factor logins will be lost as a user will still think that a password based login flow is "normal" even though they have enabled webauthn for the primary factor. For password credentials, the browser both stores and provides a UI for the user to select a credential to send to the server. In Chrome, it's possible to have a login without any HTML UI form elements. I'd propose a similar use case for PublicKeyCredentials. Allow the browser to prompt the user to select a username from the set of public key credentials stored on the device from which to initiate the ceremony. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356 using your GitHub account
Received on Saturday, 4 January 2020 11:51:48 UTC