[webauthn] Give each authenticator a GUID and add an option to CredentialsContainer: create method to return this GUID if user permits (#2263) from bigradish via GitHub on 2025-02-21 (public-webauthn@w3.org from February 2025)

From: bigradish via GitHub <sysbot+gh@w3.org>
Date: Fri, 21 Feb 2025 03:10:56 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2867805771-1740107454-sysbot+gh@w3.org>

bigradish has just created a new issue for https://github.com/w3c/webauthn:

== Give each authenticator a GUID and add an option to CredentialsContainer: create method to return this GUID if user permits ==
## Description

It is very easy for a user to register many accounts on a website which purely uses Webauthn to make its registration module.
A common solution on many today’s websites to prevent a user from registering too many accounts is: first require the user to provide his/her mobile phone number, and then send a random number to the phone and ask the user to send this random number back with other data to verify the phone number. This discloses an important user privacy (mobile phone number), and leads to the user’s phone being spammed with unsolicited calls and messages.
If each authenticator(no matter it is hardware or software) can be give a GUID (Globally Unique Identifier), and an option, e.g., `requireAuthenticatorID`, can be added to CredentialsContainer: create method to return this GUID under the user’s permission, the role of the user’s mobile phone number can be replaced by the GUID in the registration process, and thus the phone’s spamming can be avoided.
To respect user privacy, the option(`requireAuthenticatorID`) is defaulted to "false", and if it is set to "true", the browser, when the CredentialsContainer: create method is called, will ask the user to decide whether he/she permits the authenticator GUID to be returned. If the user denies, the GUID is not provided, and the create method fails with an exception; if the user permits, the GUID is returned in the result of the create method, like the way doing with AAGUID (Authenticator Attestation Globally Unique Identifier). 
The authenticator GUID can not be used to achieve one account per user (user phone number also can not).  A user can register two or more accounts with one authenticator, and can register even more with more authenticators, but this costs his/her money and time. This is the effect to reach.


## Related Links

For Authenticator, see https://w3c.github.io/webauthn/#authenticator
For AAGUID, see https://w3c.github.io/webauthn/#aaguid
For Attestation, see https://w3c.github.io/webauthn/#attestation
For Attestation Certificate, see https://w3c.github.io/webauthn/#attestation-certificate


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2263 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 21 February 2025 03:10:57 UTC