- From: James Elliott via GitHub <sysbot+gh@w3.org>
- Date: Thu, 30 Jan 2025 06:40:10 +0000
- To: public-webauthn@w3.org
> If a user can register unlimited number of accounts on a website easily This can be done irrespective of if this kind of API addition exists or not. The user simply makes the credentials unavailable to the browser itself. The goal of WebAuth is not to solve identity management, but rather to facilitate the creation of cryptographical keys and later verify via mathematical proof that someone has access to them (likely the person who created them). Registration concerns including but not limited to: multiple registration, rate limiting, etc; are in scope for business logic, and definitionally out of scope of this standard. You can solve this in many ways such as endpoint rate limits, requiring some form of additional validation that takes time, accounts to be created prior to registering a WebAuthn credential, using information already available to you such as their IP or long-lived session cookies , etc. For malicious spam creation which is likely to be done via bots or automation it's *completely trivial* to circumvent any specification addition in this area. There is quite literally no way to keep track of mildly sophisticated malicious parties and how many accounts they truly have created credentials for. -- GitHub Notification of comment by james-d-elliott Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2222#issuecomment-2623639845 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 30 January 2025 06:40:11 UTC