Re: [webauthn] Being able to access the same public key credentials across different domains (#1827) from Emil Lundberg via GitHub on 2022-11-21 (public-webauthn@w3.org from November 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 21 Nov 2022 14:05:09 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1322115899-1669039507-sysbot+gh@w3.org>

> Why did you set this strict requirement as part of the standard?

It's a critical part of what makes WebAuthn strongly resistant against phishing attacks. Without it, an imposter site could easily trick the user into giving up authentication credentials for any site where they have a WebAuthn credential.

It's also a privacy feature. If you use the same identity everywhere, it's very easy to track you. WebAuthn does not want to make that easier, in fact the standard goes out of its way to prevent leaking information that could de-anonymize users without their consent.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1827#issuecomment-1322115899 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 21 November 2022 14:05:10 UTC