- From: mattimac via GitHub <sysbot+gh@w3.org>
- Date: Mon, 06 Jul 2020 21:29:46 +0000
- To: public-webauthn@w3.org
> > > > A bigger problem is that there is no such thing as "trusted Web code" which makes WebAuthn less useful for payments than native apps. > > This is not a problem. The UI displayed to the user is rendered by the client platform (i.e. trusted UI). The data that is signed is the same data displayed to the user. It doesn't matter if the code that invokes this process or handles the output is trusted. This is the point, how secure is that on client's OS? How is it secured on OS api level? As long as that is not properly secured is not attractive in terms of risks analysis and cannot compete with out-of-band authorization (different channel). -- GitHub Notification of comment by mattimac Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1396#issuecomment-654475344 using your GitHub account
Received on Monday, 6 July 2020 21:29:52 UTC