- From: Ken Buchanan via GitHub <noreply@w3.org>
- Date: Wed, 05 Nov 2025 22:30:51 +0000
- To: public-webauthn@w3.org
@martinthomson I have expanded the privacy section in https://github.com/w3c/webauthn/pull/2291/ to better detail the privacy consequences of Immediate. It now explains that a site can measure timing to determine that a user has a credential available. The inverse, when UI is not shown, can indicate that the user does not have a credential, but there are other reasons to not show UI so that is not a reliable signal. Unfortunately the usage that we are trying to enable has that leakage as an inherent downside, so there are currently no suggestions for mitigation. The question of whether there are alternative sign-in flows that do not have this leakage, and still provide the benefits that we hope to achieve, is being discussed on the [main issue](https://github.com/w3c/webauthn/issues/2228). @toreini The incognito concern should now be clearer in the privacy section, and the expected user agent behaviour to prevent that from being detectable by the Relying Party. -- GitHub Notification of comment by kenrb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2307#issuecomment-3493864031 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 5 November 2025 22:30:52 UTC