Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

The UI flow we're using mirrors that of our native app exactly and provides a extremely pleasant user experience coupled with the anti-fishing benefits of webauthn in general. The only caveat is that state must be preserved on the client device.

This leaves my sites stuck between 2 security concerns: username enumeration or the possibility of tracking the user (but only on a site you had previously registered on right?).

We plan on releasing the current flow with the state persisted in local storage next week for an audience of 1.5 million monthly active users of multiple US banks and credit unions. I'd like to find a path forward though to remove the local state dependence so that the password based login flow is only the first time login experience.

-- 
GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-573172914 using your GitHub account

Received on Friday, 10 January 2020 19:27:14 UTC