Re: [webauthn] Prohibit Create Credential from cross-origin iframes (#1336)

I'm a bit saddened by this decision to not allow credential enrolment from the context of an iframe. I'm the CTO of a new payments company (https://stitch.money), which is aiming to improve the payments experience in our markets. 

As @btidor-stripe mentioned, 3d Secure is a good example of where allowing iframe credential enrolment would be hugely advantageous for the security of the payments ecosystem, but it goes beyond just 3d Secure. 

For many of our clients, Stitch offering a more integrated experience, rather than forcing users to do a redirect is an important product consideration. In order to prevent our customers from having to shoulder a large part of the PCI compliance burden, we deliver the embedded version of our interface via an iframe so that our customers do not have to directly handle the credentials themselves. This is quite a common approach in the industry at large.

For our product, we perform tokenisation of users credentials to streamline subsequent checkouts, and currently have to store this single use token in localStorage. This isn't the best as this value could conceivably be exfiltrated from local storage and used on another device. It'd be greatly preferable if we could use Web Authn to better tie the token to the device.  

I'm a little unclear as to why the enrolment is considered a significant privacy threat in the model, does both retrieval and enrolment not require user interaction? If that is indeed the case, surely this would not be a particularly attractive fingerprinting method? Or is it because some of the associated parts of the API increase the available entropy that could be used in general fingerprinting methods?

-- 
GitHub Notification of comment by ncthbrt
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1336#issuecomment-892429750 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 4 August 2021 07:24:59 UTC