top | item 43866088

(no title)

agl | 10 months ago

WebAuthn protects the sign in, but malware can still steal the resulting cookies. DBSC protects the sign in _session_. (It should stand for Don’t Bother Stealing Cookies.)

discuss

mmis1000|10 months ago

If you read the proposal carefully. this api is used to refresh/revalidate extremely short lived cookie. not replace cookie itself. Which you can already do with webauthn

nicce|10 months ago

Maybe there is an assumption that this is easier to push through for masses because the UX is better. (no phone, no physical key required)

ximm|10 months ago

Webauthn always requires a user presence check though.