Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

> > If IDs come back, it'd be nice to trigger webauthn automatically and get back a failure saying "none of these IDs are here" which also doesn't trigger any native browser UI
> 
> The desire is quite understandable but we can't allow websites to silently probe the browser for the user's identity for the obvious reasons.

The website is providing a list of IDs it knows about, though. And it seems like the ID space is huge. If the query limits possible hits to the current web domain only, the danger is that a script might start silently iterating through all possible IDs to find the one or two working keys on this device? That's the danger?



-- 
GitHub Notification of comment by knightcode
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-905951842 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 25 August 2021 23:55:13 UTC