Re: [webauthn] Provide a method to get the count of the credentials of a rely party on client device on user permission (#2255) from Ackermann Yuriy on 2025-02-07 (public-webauthn@w3.org from February 2025)

From: Ackermann Yuriy <ackermann.yuriy@gmail.com>
Date: Fri, 7 Feb 2025 15:26:33 +1300
To: bigradish via GitHub <sysbot+gh@w3.org>
Cc: public-webauthn@w3.org
Message-ID: <CALRyZMquJiXDt1+u0d-GybJQDixsRmPodE28jzv+eRL0L1S3Og@mail.gmail.com>

That would disclose privacy sensitive information, as well as wont solve
anything else.

Use can have multiple passkey providers. Each would have to ask user
consent, or you will have limited scope, one password manager. User can as
well export credential, delete it, register, re-import.

Or user can custom credential provider. Or passkey manager decides to lie
because of privacy.

And again, this does not solves issue of non-discoverable credentials, and
security keys.

And lastly, what if the same laptop is used by both wife, and husband? In
that case you would stop husband from registering?

So to summarise:

- Technically difficult (or impossible)
- Privacy horrible
- Easily bypassed
- Effectiveness little
- Value, little.

If you want to prevent users re-registering, aka ensure user uniqueness,
aka personhood, KYC like iProve can solve it much better.

Again, webauthn is a tool for generating assertions, not account management
and enforcement police.

Yuriy Ackermann
AI, Product, Passkey, FIDO, Identity, Standards
github: @yackermann <https://github.com/yackermann>
medium: @yackermann <https://medium.com/@yackermann>

On Fri, 7 Feb 2025 at 2:05 PM, bigradish via GitHub <sysbot+gh@w3.org>
wrote:

> @emlun @yackermann Thank you very much for your reasonable explanation.
> I'm thinking this solution: In the CredentialsContainer.create() method,
> add an option to ask the user to let the authenticator return its GUID in
> the response. If the user denies or the auhenticator fails to do this, the
> create method fails with exceptions.
> This requires that all authenticators have their GUIDs.
> How do you think of this?
>
> --
> GitHub Notification of comment by bigradish
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/issues/2255#issuecomment-2641569582 using
> your GitHub account
>
>
> --
> Sent via github-notify-ml as configured in
> https://github.com/w3c/github-notify-ml-config
>
>

Received on Friday, 7 February 2025 02:26:51 UTC