- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Mon, 24 Jan 2022 01:22:46 +0000
- To: public-webauthn@w3.org
Your points about extensions being optional and easy for browsers or authenticators to ignore (or be incapable of supporting) is a valid one. I don't know what a path forward is now...tell RP's to let passkeys happen and forget about `devicePubKey` since it can't reliably achieve its intended goal of supporting pre-passkey operation before passkeys deploy? > And at the point someone has access to my google, they have my email and can reset all my account passwords anyway. So what is this really defending from? I think this highlights a flaw in passkeys: that now there is an avenue to phish users when originally the spec made WebAuthn-based authentication phishing resistant. Is that trade off worth it for an actual account recovery story for the consumer market? -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1019628351 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 January 2022 01:22:48 UTC