- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 10 Nov 2022 14:19:51 +0000
- To: public-webauthn@w3.org
It is a privacy issue for some sites. Thinking of a real incident with a site called Ashley Madison who had an issue when a way to tell if a particular email address had an account. Some sites have public user list and others that perhaps serve minoritys that might be vulnerable go to some length not to disclose. I have personally argued for non-resident passwordless flows, however, that is not the direction the working group has taken. The move to autofill-UI and a desire for backed up consumer credentials will likely kill security keys in the consumer market. That is not to say that security keys won't continue to have a role in regulated, enterprise, or other sensitive applications. Consumers should have the option to continue using security keys if they prefer, but I think compromising the majority user experience of discoverable credentials to keep security keys working is a hard sell. Security keys can also expand storage but that is not without limit, especially on secure elements. We need to make the key experience as good as it can be but, most people will not purchase personal keys going forward. Back to the topic I think we can add some advice to CTAP2.2 to improve the situation. No change is required to WebAuthn. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1822#issuecomment-1310351185 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 10 November 2022 14:19:53 UTC