- From: Lukas Ribisch via GitHub <sysbot+gh@w3.org>
- Date: Thu, 31 Mar 2022 14:38:55 +0000
- To: public-webauthn@w3.org
> attestation is really the only solution for that case. > [...] > And again, attestation already provides RPs most of the same powers but in a form that's also verifiable. Sorry, to clarify – are you suggesting attestation as a way of opting out of syncing (which is currently a side effect of requesting it), or attestation and subsequently (upon learning that it's a syncing implementation) not using a given authenticator at all? As far as I understand, the former is only intended to be temporary (until the "backup indicator" is specified and implemented), right? > It could easily be misunderstood as a "make it more secure" parameter, which is not at all true. I do share that concern, as the standard mode of operation of audit-heavy organizations/industries is to just disable all options that aren't explicitly required in the interest of security, and ones that do actually impact it somewhat doubly so. > We don't want RPs to use that without carefully considering the implications, because that will get users locked out and driven away from using WebAuthn at all because of the hassle (making them less secure in the end). Agreed – but the other possibility here is some organizations/industries never adopting WebAuthN and sticking with proprietary app-based solutions (or worse, like SMS-OTP). -- GitHub Notification of comment by lxgr Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1084675426 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 31 March 2022 14:38:56 UTC