- From: Ackermann Yuriy via GitHub <sysbot+gh@w3.org>
- Date: Thu, 06 Feb 2025 22:36:52 +0000
- To: public-webauthn@w3.org
@bigradish @emlun Not only that, but there are technical limitations as well. 1. Platforms are no longer monolith, but a plugin ecosystem, that allows third party providers, like Dashlane, 1Password, etc to provide passkeys. This means that they would have to have API, that allows non-authorized enumeration of the credentials, which is not only technically might not be possible (see encryption), but would be a gross privacy violation (see russian govt wanting to know where u have accounts). 2. Passkey providers might not even know how many credentials they have. If they do non-exportable non-discoverable credentials, that are stored in secure enclave, and they don't allow user manage them, like it works in FIDO2/U2F, then it might not even know that it has those credentials. 3. Security keys exist, and user can plug them in after you request authentication. And again, if they are non-discoverable, then security keys won't be able to enumerate them. Passkeys are not meant to deal with T&C of the website. It's a tool to sign challenges, that happens to be useful as a part of authentication. -- GitHub Notification of comment by yackermann Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2255#issuecomment-2641280370 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 6 February 2025 22:36:53 UTC