W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2020

Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

From: Martin Kreichgauer via GitHub <sysbot+gh@w3.org>
Date: Wed, 08 Jan 2020 19:35:21 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-572222824-1578512120-sysbot+gh@w3.org>
> Experimentation indicates that this UI triggers anytime there are zero matching credentials in the allowedCredentials array.

If this weren't the case, RPs would be able to probe silently for the (non-)existence of a credential with a given credential ID, which is a tracking concern.

If what you're interested in is login without a password, why would the user enter a username in the first place? Couldn't the site send a get() request with an *empty* allowList? The user would then select one of the resident credentials, and the site would be able to associate the correct user based on the response.

-- 
GitHub Notification of comment by kreichgauer
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-572222824 using your GitHub account
Received on Wednesday, 8 January 2020 19:35:23 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:39 UTC