Open nicksteele opened 3 years ago
my sense is that the (proposal from the OP](https://github.com/w3c/webauthn/issues/1563#issue-802917745) in the original issue - i.e. sharing the name of the platform-default authenticator - would bring basically zero additional fingerprinting: determining what platform a web site is being rendered on is indeed already possible using a variety of other platform-specific exposed features. @nicksteele, do you know if that specific proposal had been considered in the WG and/or discussed with the Privacy IG?
The only thing we currently can expose is whether or not the client device has a platform based authenticator present, via the isUserVerifyingPlatformAuthenticatorAvailable()
. However there has been much recent discussion in the WG issues (however, not on the working group calls) about how we can fix this. It was mentioned in the WG that we should discuss this issue in the CG, and try to determine solutions that don't allow RPs to fish for authenticator info. I'm not sure if this was discussed in the Privacy interest group.
My hope is we can discuss it on the call this week and then come back to the WG ( or FIDO TWG or Privacy IG) with potential solutions.
The best we can do on this front right now is infer the type of platform authenticator based on heuristics involving values returned by attestation. The conversation in the WG thus far has not been friendly to the idea of some kind of getUserVerifyingPlatformAuthenticatorName()
as it could potentially be privacy-invasive vis-a-vis browser fingerprinting (as Nick mentioned above).
I think development of some kind of common heuristics model could definitely fall under the CG. Level 2 isn't going anywhere and so there's need of some kind of solution while this gets hashed out to maybe become a feature of a future Level...
Just a quick recap on the idea, following today's call:
getUserVerifyingPlatformAuthenticatorName()
to WebAuthn would help RPs with introducing Platform Authenticator modalities to consumers, i.e., "non-enterprise" usersgetUserVerifyingPlatformAuthenticatorNames()
and let the RP decide.
In reference to Issue #1563 from the Working Group, discuss potential privacy preserving solutions and, if necessary, additions to the specification that can help RP developers have more information about authenticators for a better user experience.