- From: Nick Doty via GitHub <noreply@w3.org>
- Date: Wed, 12 Nov 2025 05:12:38 +0000
- To: public-webauthn@w3.org
My concern was that users may inadvertently use a strong authenticator to connect their identity between multiple origins, when they think they are just logging in with a separate identity. Owners of multiple domains with potentially sensitive identities might be significant here, although the definition of related origins based on a new concept of labels could also include many many origins. The response from the group seemed to be that some of these combination threats already exist -- for example, password managers often have ad hoc collections of origins where the password manager is trying to helpfully use the same username/password combination on different origins when the manager believes they have a shared login system, or redirects (also a tracking mechanism). While we would like to improve privacy including in those existing situations, there seemed to be little interest in pursuing narrowing those cases. The Working Group's approach seems to be that it's up to the user agent to clearly communicate what's happening to the user, and up to the user to interpret the UI, notice that the dialog UI shows a different origin from the URL bar (or a different RP ID, which I guess could be different from either) and consider the implications. Based on conversation with the group, it seemed like the concern about silent auto-login across related origins (a concern raised by @pes10k in particular) is already prohibited by the spec. (We had some confusion in reading all the interrelated specs, but we anticipate that the editors and groups best understand.) We had discussed some potential ways forward in our call 3 September 2025, although I can't find any documented minutes from that meeting, unfortunately. I think the suggestion was that the privacy threats could be documented explicitly, the responsibility on user agents could be made a clear normative requirement, and we could consider ways to prevent abuse of the list to include apparently unrelated origins (as was proposed with related work in First-Party Sets/Related Website Sets). Some in the Working Group thought some of those changes could be possible, but maybe not until a subsequent version. Given that the feature was wanted by sites and user agents and already deployed and committed to, the Working Group would not consider refraining from a feature that would expand the site concept across many origins. -- GitHub Notification of comment by npdoty Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2319#issuecomment-3520015765 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 12 November 2025 05:12:39 UTC