[webauthn] user verification discouraged should consider privacy impact or UA advice (#2323) from Nick Doty via GitHub on 2025-08-14 (public-webauthn@w3.org from August 2025)

From: Nick Doty via GitHub <noreply@w3.org>
Date: Thu, 14 Aug 2025 17:42:58 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-3323069785-1755193376-noreply@w3.org>

npdoty has just created a new issue for https://github.com/w3c/webauthn:

== user verification discouraged should consider privacy impact or UA advice ==
Is user verification `discouraged` intended to be used for relying parties to signal a preference for less user interaction? Does user verification provide a certain backstop of privacy protection for users to be sure they know what they're authenticating and to whom?

My understanding (thanks @timcappalli) is that this doesn't enable the abuse of silent info gathering. The spec might make that explicit, or note that UAs have the unaffected obligation to explain the operation to users even if the RP doesn't prefer that a user verification step is completed.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2323 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 14 August 2025 17:42:59 UTC