- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Sat, 25 Nov 2023 21:17:49 +0000
- To: public-webauthn@w3.org
> If I understand right, the potential tracking risk you mention goes as follow: > user goes to weird-subdomain-just-for-him.tracker.xyz > user registers with webAuthn > each time user visits weird-subdomain-just-for-him.tracker.xyz, that person can be tracked WebAuthn calls can be made on subdomains within iframes, which would be a lot more effective. The mobile APIs don't allow for an "exists" call either, and they are generally much more trusting given the much greater friction of installing a mobile app. So exposing that on the web seems unlikely. getOrCreate is possible if there's enough demand, thanks. It would be similar to the model of federated sign-in. I can't say that anything will happen quickly, but I'll keep it in mind along with a possible "conditional modal" mode. > While we talk about privacy, the concrete situation we are in is that "discoverable" credentials are pushed. All such credentials are synced with Google/Microsoft/Apple having de facto a copy of your account keys. Google Password Manager e2e encrypts passkey secrets, Google cannot access them. [Likewise](https://support.apple.com/en-us/102651) for iCloud Keychain. If you don't trust them, 3rd parties like 1Password exist, or you can use a security key. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1826421731 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 25 November 2023 21:17:51 UTC