- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Fri, 06 Aug 2021 23:24:18 +0000
- To: public-webauthn@w3.org
> If site https://example.com/pay-now is embedded as an iframe in a merchant's site, and wishes to create a credential, solely for example.com's use, how is this legally different from redirecting them to example.com and creating it as a first party, then redirecting back? To the extent the iframe displays content that identifies the RP with whom the Consumer is registering their FIDO credential, and the RP provides notices/services required of _data controllers_ before receiving consent, as described in GDPR Article 7, it is conceivable the two flows may not be legally different. But, I'm not qualified to make that legal judgement. My objection to the "feature-creep" of FIDO/WebAuthn is that, to the best of my knowledge, there isn't a single passwordless FIDO2 site (in production use) visible on the internet yet, so there is a lot for all of us to still learn about the protocol and its gaps as it gets adopted in scale. But, if we keep adding features to it that run up against regulations - when many us laboring on FIDO adoption are just trying to eliminate passwords, OTP, KBA and all the crap billion/trillion dollar companies trot out as security - we might kill FIDO before it can even stand on its legs. It is complicated enough already. _P.S Apologies for the rant, but I've been personally working on passwordless strong-authentication since 1999 and would like to see my 4-year old grandson use it as a matter of course for everything he accesses before I leave for the bit-bucket in the sky. But, if we don't focus on making FIDO simpler, easier and more cost-effective than legacy authentication schemes, this may be another lost opportunity. I will make this my last post on this topic as I feel I've consumed enough bandwidth on this thread. Thank you all for your indulgence._ -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-894564083 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 6 August 2021 23:24:19 UTC