W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Allow RP to determine correct Platform Authenticator name (#1563)

From: Lucas Garron via GitHub <sysbot+gh@w3.org>
Date: Tue, 09 Feb 2021 01:41:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-775590378-1612834877-sysbot+gh@w3.org>
For what it's worth, we've tried to work around this at GitHub, and... we have no clever ideas. Saying "your device's login screen" or "your built-in authenticator" is somewhat accurate, but the spec doesn't guarantee anything about the how much of the implementation is shared with the device's login auth, and those phrases are not nearly as natural as "use Face ID" or "use Windows Hello".

I know the spec has been designed to be extremely wary of privacy leaks, but some privacy-sensitive decisions present significant barriers to adoption. And e.g. when it comes to leaking user registrations info, I believe that cuation is warranted.

However, revealing the kind of authenticator available (e.g. in an extended version of `isUserVerifyingAuthenticatorAvailable()`) is fairly low-entropy. While it is "yet another fingerprint", it can be designed to leak almost no additional entropy to user agent + [screen size](https://developer.mozilla.org/en-US/docs/Web/API/Screen/width).

From another angle, I understand that some browser may not wish to have sites display the authenticator name if they cannot control the branding used by the site. I think the W3C should decide whether this is a good enough reason, and make it clear if this is the actual overriding concern.

-- 
GitHub Notification of comment by lgarron
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1563#issuecomment-775590378 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 9 February 2021 01:41:20 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 9 February 2021 01:41:20 UTC