- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 07 Jul 2023 13:19:17 +0000
- To: public-webauthn@w3.org
What is the privacy issue with `name` and `displayName`? These fields are _never conveyed back to the RP_. The RP does not need to store them. They do not need to represent a unique user identity within the RP's user space. It may be against some RPs' terms of service for one person to create multiple accounts, but it is not possible for the RP to prevent this using the tools WebAuthn provides. This is **by design**, because that _is_ a privacy concern. An RP seeking to prevent this must use external tools (cookies, local storage, IP filtering, government ID proofing, etc.) to do so. You certainly can set `name: "Passkey for xyz.com", displayName: "Passkey for xyz.com"` for every user if wish to actively sabotage the user experience for users with multiple passkeys on the same authenticator. > (I do not think it is common practice to say something about inheritance in a base interface like "when inherited by then"... very ugly and a sign that the name field should be a level lower...): I agree, but it is far too late to change this now. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1915#issuecomment-1625405587 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 7 July 2023 13:19:19 UTC