-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommendation on attestation #4
Comments
As specified in WebAuthN specification, no attestation means RPs cannot get AAGUID. This will make it impossible for RPs to check the metadata of the authenticators that are requesting access to the RP. There are so many consumer facing services that want to check metadata as well as FIDO certification levels.
If you want to say anything about go or no-go for attestation, you need to explain more details by discussing pros/cons from both security and usability perspectives, so that readers can make their own decision depending on their priorities. |
There are five places where the same note is pasted.
Since the same text is repeated 5 times, we may consider adding it to the end of the whole document in the foot note section. |
Created a PR, #23 |
The main purpose of attestation from an RP's perspective is security. Thus, this recommendation should be addressed both from security and usability perspective. The current text lacks the security perspective of attestation. If FIDO Alliance wants to recommend something on attestation, we should provide reasons and options for RPs so that they can make their own decisions that will suite their business objectives.
N.B.
Other issues: We want browser vendors to reconsider their policy to bring up a warning pop-up when attestation is requested. There are many attestations that does not reveal users to anyone and the pop-up only deteriorates UX.
The text was updated successfully, but these errors were encountered: