- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 10 Nov 2022 13:41:54 +0000
- To: public-webauthn@w3.org
> why would you need to store the cred ID in cookies? > > you just enter a user name and the server gives back the credential IDs in response just as if using U2F but without needing a password but instead requiring UV. See the [Username Enumeration](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-username-enumeration) and [Privacy leak via credential IDs](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-credential-id-privacy-leak) privacy considerations. But yes, these are noteworthy considerations, not all-encompassing bans (and honestly we have no data on how hard it would actually be to de-anonymize someone just by analyzing `allowCredentials` lists between accounts or RPs). And they are obviously much less relevant if your user profiles are public, for example. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1822#issuecomment-1310299024 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 10 November 2022 13:41:56 UTC