- From: Ken Buchanan via GitHub <noreply@w3.org>
- Date: Mon, 27 Oct 2025 00:54:25 +0000
- To: public-webauthn@w3.org
@MasterKale > Would the try -> catch -> navigate to login/ pattern be so bad for user privacy if there's a chance that the ceremony, with allowCredentials: [] which doesn't reveal anything on its own, simply failed because the user's credential was on a security key in the other room/in a locked credential manager vault that was just too finicky to quickly unlock/etc...? The fact that the proposal takes a usernameless-centric stance on how to invoke immediate mediation doesn't seem as fingerprint-y as to whether the user has an account on the site or not. I believe the main concern is the situation in which the user has a passkey available and UI is shown, but they decline to sign in with that passkey. The site learns that the user has a passkey available, and likely _could_ have signed in with an existing account. If no UI is shown, then that doesn't reveal much to the site. There are several reasons why that might happen even for a user who has an account. The concern being discussed hasn't been about user fingerprinting. In the first case (UI is shown, user dismisses it) the site obtains information that in some cases would be unavailable to it today. It's not a lot of information (one bit, more or less), but the point has been made that it would be difficult for a user to hide it. The question here and in the TAG review has been whether the sign-in experiences that this enables are a reasonable trade-off that leakage, in particular when compared to the best possible alternatives that don't provide information. > Question to @kenrb, does "transient activation" require intentional clicking of something on the page? Would e.g. scrolling the page count as transient activation? Scrolling does not provide an activation. I believe it requires a `mousedown`, `keydown`, or the completion of a touch event on mobile. -- GitHub Notification of comment by kenrb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-3449115121 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 October 2025 00:54:25 UTC