- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Fri, 27 Dec 2024 00:56:20 +0000
- To: public-webauthn@w3.org
> It is very easy for a user to register many accounts on a website which using webauthn, but it seems that there is no an easy way to limit this capability of the user, for it is not easy to identify the user or the authenticator...when the user is registering. I don't entirely understand what is being requested here. Limiting new account creation to dissuade one user from registering multiple accounts is a problem for the RP whether it uses passwords+2FA or passkeys. Passkeys aren't really a good means for achieving this. > If there is a method that can get all the credentials for a rely party on the client device, the rely party (website) can easily limit the number of accounts a user can register using the client device. This sounds like credential enumeration, which is frowned upon in the WebAuthn space for how easily it can be abused by bad actors. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2222#issuecomment-2563203839 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 27 December 2024 00:56:21 UTC