[webauthn] Document privacy considerations of immediate mediation (#2307) from Martin Thomson via GitHub on 2025-07-01 (public-webauthn@w3.org from July 2025)

From: Martin Thomson via GitHub <noreply@w3.org>
Date: Tue, 01 Jul 2025 04:09:15 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-3190611945-1751342953-noreply@w3.org>

martinthomson has just created a new issue for https://github.com/w3c/webauthn:

== Document privacy considerations of immediate mediation ==
(I have no idea how to file this correctly, apologies for any potential abuse of the process here.)

## Proposed Change

The addition of immediate mediation (which is not justifiable, in my view, but that's separate) creates information leakage in two directions, outside of the one success path (there is a passkey and the user chooses to use it):

1. If the user has no previous passkey in any context for this site, the immediate return will leak that information.
2. If the user does have a previous passkey, but does not choose to reveal it, then the delayed return will leak that information.

The former is acknowledged in the discussion thus far (though this is characterized as a fingerprinting risk, which is potentially misleading), the latter is not, but it should be.

This came up in discussions after the TAG review. One use case that was identified was explicit cookie clearing. There are many reasons that people clear cookies, but one is to prevent same-context recognition from a site. This undermines that goal, because the passkey is not cleared and the presence or absence of a passkey from before the cookie-clearing event comprises unwanted information leakage in that case.

This is also the case when a user uses features like Firefox's [containers](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/), where the presence or absence of a passkey that was created in one container will be visible to other containers. This is because credentials (including passkeys) transcend container boundaries.

In any event, my reservations about this undermining user autonomy aside, this leakage needs to be better documented in #2291. Suggesting methods for handling these cases in a way that doesn't lead to information leakage would be ideal.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2307 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 1 July 2025 04:09:16 UTC