- From: Nick Steele via GitHub <sysbot+gh@w3.org>
- Date: Fri, 12 Feb 2021 22:44:07 +0000
- To: public-webauthn@w3.org
There seems to be a lot of issues lately regarding identifying authenticators ahead of time, which is truly a hard issue. The big reason why we don't allow for easy identification of available authenticators is because we, as Lucas mentioned, want to allow users to not be fingerprinted via their authenticator and only be identified when they choose to share that information. It is possible (although not totally reliable) to use other heuristics alongside the `isUserVerifyingAuthenticatorAvailable()` method to try and determine a user's client and client device, but perhaps we could do better on this. I would recommend we discuss this in the adoption community group (if you're available to discuss as well @lgarron that would be great) and we can potentially figure out a privacy-preserving solution there for publication within the W3C spec. Maybe the solution is to submit a PR asking for a similar method to `isUserVerifyingAuthenticatorAvailable()` that gives us further hints about the available authenticator. Closing this issue and moving it to discussion in [issue #6](https://github.com/webauthn-adoption/practical-webauthn/issues/6) in the community group. -- GitHub Notification of comment by nicksteele Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1563#issuecomment-778496329 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 12 February 2021 22:44:09 UTC