Re: [webauthn] Add a method to get all the credentials for a rely party on the client device to support the rely party (website) to limit the number of accounts a user can register (#2222) from bigradish via GitHub on 2024-12-27 (public-webauthn@w3.org from December 2024)

From: bigradish via GitHub <sysbot+gh@w3.org>
Date: Fri, 27 Dec 2024 03:21:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2563273217-1735269706-sysbot+gh@w3.org>

Hi Shane,

Thank you very much for your detailed answers.
I understand what you mean.
How about providing a method to get just the number of the credentials on the device for the RP?
This can avoid account linking, or account tracking, for the RP does not know the exact account names associated with these credentials.

________________________________
发件人: Shane Weeden ***@***.***>
发送时间: 2024年12月27日 11:03
收件人: w3c/webauthn ***@***.***>
抄送: bigradish ***@***.***>; Author ***@***.***>
主题: Re: [w3c/webauthn] Add a method to get all the credentials for a rely party on the client device to support the rely party (website) to limit the number of accounts a user can register (Issue #2222)


This type of behaviour is called account linking, or account tracking, and is an anti-pattern with respect to end user privacy, whether it be across domains on the internet, or between separate accounts on the same RP/website. I am highly confident the WebAuthn WG will not support any notion to introduce a capability like this. By way of example, if I have 5 google accounts, Google doesn't need to know, nor should they, that they are all mine. They are completely separate personas that I (as an end user) want distinct for privacy reasons.

If as an RP you're trying to bind an account to a human, then use a 3rd party identity proofing solution (not an authentication technology like WebAuthn) to do that. Real humans will find it difficult to provide the burdens of proof required to satisfy different human identities for many accounts at the same RP.

―
Reply to this email directly, view it on GitHub<https://github.com/w3c/webauthn/issues/2222#issuecomment-2563264705>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBYBYJRI2WPC6QMYGEX2RD2HS7QZAVCNFSM6AAAAABUH3OWDGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRTGI3DINZQGU>.
You are receiving this because you authored the thread.Message ID: ***@***.***>


-- 
GitHub Notification of comment by bigradish
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2222#issuecomment-2563273217 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 27 December 2024 03:21:48 UTC