Re: [webauthn] How to know if a user has already registered a device? (#1749) from Emil Lundberg via GitHub on 2022-06-20 (public-webauthn@w3.org from June 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 20 Jun 2022 08:59:10 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1160170349-1655715548-sysbot+gh@w3.org>

> What would be the privacy issues of a `credentials.exists(credentialId) `? It might be obvious for you but I don't get it.

The first issue is that it could be used as a "super-cookie" to track users without explicit consent. Then add to that that it won't even work for roaming authenticators (e.g., external security keys) since they're unlikely to be plugged in all the time.

We're aware that this is a difficulty for RPs, but we won't add a plain `credentials.exists(credentialId)` for these reasons. I think #1576 and/or #1568 are more likely candidates for solving this problem.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1160170349 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 20 June 2022 08:59:12 UTC