Re: [webauthn] Add a method to get all the credentials for a rely party on the client device to support the rely party (website) to limit the number of accounts a user can register (#2222) from Shane Weeden via GitHub on 2024-12-27 (public-webauthn@w3.org from December 2024)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Fri, 27 Dec 2024 02:47:53 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2563257360-1735267672-sysbot+gh@w3.org>

> Hi, thank you for your answers. I use pure passkeys to let users register on my site, and hope passkeys can be good at limiting the number of the accounts a user can register. Yes, I mean credential enumeration. I think as a rely party can only get its own credentials, this will not cause bad problems. Do you think so?

This is very much a problem since the RP could now tell that the same human / physical device owned those multiple accounts. 

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2222#issuecomment-2563257360 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 27 December 2024 02:47:54 UTC