- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Sat, 08 Feb 2025 01:57:52 +0000
- To: public-webauthn@w3.org
That would be even worse for privacy (as others have already pointed out) and still have the same problem that it's trivial to bypass. Again: why would the user be honest about returning a genuine GUID (remember, the user can just choose a browser that returns a random GUID on every call) if you've already assumed they're _not_ honest about only registering one account? Even if we assume the GUID feature was implemented and worked flawlessly with all authenticators in all browsers, why wouldn't the user just get a second authenticator to register a second account? It would not solve your problem, would not respect user privacy, and would not be backwards compatible with existing hardware security keys. There are no benefits to this, only downsides. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2255#issuecomment-2644424889 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 8 February 2025 01:57:52 UTC