- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Fri, 24 Nov 2023 01:01:06 +0000
- To: public-webauthn@w3.org
> I think only credentials.exists(rpId) is all that is needed. Is there any credential stored for the RP? How is that a super-cookie? Firstly, browsers don't have perfect information to answer with: perhaps the user has a credential on a security key or phone that they would like to use. Also, RP IDs are not a limited resource. A site can create many subdomains and register different users on different subdomains, then probe for credentials on each. So the fingerprinting surface is more than one bit. The combination is enough to make things problematic. There have been requests for a "conditional modal" UI, i.e. a modal UI that appears only if a credential is known to exist. That still has the first problem, suggesting that _something_ should always appear for users who really want to use WebAuthn (perhaps in the URL bar), but would be a middle ground between modal and autofill UIs. There is not currently enough energy behind this idea to make it real, however. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1825033118 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 November 2023 01:01:08 UTC