- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Fri, 27 Dec 2024 03:03:21 +0000
- To: public-webauthn@w3.org
This type of behaviour is called account linking, or account tracking, and is an anti-pattern with respect to end user privacy, whether it be across domains on the internet, or between separate accounts on the same RP/website. I am highly confident the WebAuthn WG will not support any notion to introduce a capability like this. By way of example, if I have 5 google accounts, Google doesn't need to know, nor should they, that they are all mine. They are completely separate personas that I (as an end user) want distinct for privacy reasons. If as an RP you're trying to bind an account to a human, then use a 3rd party identity proofing solution (not an authentication technology like WebAuthn) to do that. Real humans will find it difficult to provide the burdens of proof required to satisfy different human identities for many accounts at the same RP. -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2222#issuecomment-2563264705 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 27 December 2024 03:03:22 UTC