- From: My1 via GitHub <sysbot+gh@w3.org>
- Date: Thu, 10 Nov 2022 13:05:33 +0000
- To: public-webauthn@w3.org
> Storing credential ID in cookies create cross browser flow issues and increases the number of times the user needs to register. why would you need to store the cred ID in cookies? you just enter a user name and the server gives back the credential IDs in response just as if using U2F but without needing a password but instead requiring UV. > Returning credentialID without a password is a potential privacy issue in that it allows attackers to probe for what accounts are valid. most websites have no issue telling you one way or another what user names are valid, not everyone is a Bank. I mean on Github you can literally just look up users by typing in a profile URL which conveniently has a username for example. -- GitHub Notification of comment by My1 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1822#issuecomment-1310253114 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 10 November 2022 13:05:34 UTC