You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today, when RPs ask the user to register a FIDO authenticator, it is difficult to learn what to ask the user for (Fingerprint, Security Key, FIDO Authenticator, ...).
Ideally they would ask "Do you want to register a FIDO Authenticator?" - but not all users might understand that.
Note: Asking for "Do you want to register your Security Key?" is highly confusing when platform authenticators are being used.
The text was updated successfully, but these errors were encountered:
By providing such information to RPs, the standard runs the risk of enabling the violation of privacy protections mandated by law in some parts of the world (all parts, if rationality prevailed). California's Consumer Privacy Act (CCPA) recognizes IP addresses and similar metadata as Personally Identifiable Information (PII). Yes, RPs have to conform to the law - not Standards organizations. But, if a protocol/standard leaks information that violates evolving/progressive privacy regulations, there is a good chance that influential non-technologists (lawyers) will kill the use of the technology to protect the company from liability;
By shielding customers from understanding some of the UX semantics of FIDO-based authentication, we are perpetuating the problem: that of treating users as being incapable of using something a little different because of our own preconceived notions.
I would strongly encourage the FIDO Alliance and W3C to work on creating educational material to "lift users up" by giving them the knowledge they need to they know what to do with their brand/type of Authenticator when prompted to use their FIDO Authenticator, rather than to "dumb them down" further. In the long-term, educating users will be a win-win situation for everybody concerned.
(In case you're wondering what is the harm in shielding them from information they ought not to/might not care about, you only have to read the current headlines in newspapers to see the consequences of that strategy).