- From: Ackermann Yuriy via GitHub <sysbot+gh@w3.org>
- Date: Tue, 11 Feb 2025 08:56:26 +0000
- To: public-webauthn@w3.org
1. Are you referring to [excludeCredentials](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-excludecredentials). Again this would only prevent user from re-registering. 2. That would disclose that user does not want to share information. 3. Again WebAuthn API is not account management system lol. It's a key management API. And lastly, as stated before, web security model is based on no trust to the user side. Server must at all times be aware of that nothing that comes from the browser can be trusted. Making stuff read-only, etc, does not matter since extensions will just override your JS, and send you false information. Most importantly, malicious actors won't care for the browser, specs, what ever. They will simply run broken version of the browser, with "fixed" api, and abuse your system to the end. Best you can do is correctly build your threat model, use KYC techniques, like iProve, etc, register people by phone number, and many many other ways to limit attack vector. OWASP is your friend https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html -- GitHub Notification of comment by yackermann Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2255#issuecomment-2650176548 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 11 February 2025 08:56:27 UTC