W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] How to know if a user has already registered a device? (#1749)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 20 Jun 2022 08:59:10 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1160170349-1655715548-sysbot+gh@w3.org>
> What would be the privacy issues of a `credentials.exists(credentialId) `? It might be obvious for you but I don't get it.

The first issue is that it could be used as a "super-cookie" to track users without explicit consent. Then add to that that it won't even work for roaming authenticators (e.g., external security keys) since they're unlikely to be plugged in all the time.

We're aware that this is a difficulty for RPs, but we won't add a plain `credentials.exists(credentialId)` for these reasons. I think #1576 and/or #1568 are more likely candidates for solving this problem.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1160170349 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 20 June 2022 08:59:12 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC