- From: Martin Kreichgauer via GitHub <sysbot+gh@w3.org>
- Date: Wed, 08 Jan 2020 19:35:21 +0000
- To: public-webauthn@w3.org
> Experimentation indicates that this UI triggers anytime there are zero matching credentials in the allowedCredentials array. If this weren't the case, RPs would be able to probe silently for the (non-)existence of a credential with a given credential ID, which is a tracking concern. If what you're interested in is login without a password, why would the user enter a username in the first place? Couldn't the site send a get() request with an *empty* allowList? The user would then select one of the resident credentials, and the site would be able to associate the correct user based on the response. -- GitHub Notification of comment by kreichgauer Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-572222824 using your GitHub account
Received on Wednesday, 8 January 2020 19:35:23 UTC