Re: [webauthn] PublicKeyCredentialUserEntity difference between name, displayName and id not clear from Emil Lundberg via GitHub on 2017-10-12 (public-webauthn@w3.org from October 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Oct 2017 11:19:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-336098196-1507807182-sysbot+gh@w3.org>

Oh right, I think I can answer that myself. It's to support first factor login while making it harder for an attacker with a stolen authenticator to identify the authenticator's user, right? And that's also why you shouldn't put something identifying like an email address in `user.id`.

But wait, aren't you saying that the UI for selecting a first factor credential will display the `name` and/or `displayName` to the user? Then what would prevent the attacker from identifying the user by simply trying a bunch of first factor authentication challenges?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/622#issuecomment-336098196 using your GitHub account

Received on Thursday, 12 October 2017 11:19:46 UTC