W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2017

[webauthn] Bug: getAssertion accidentally calls authenticatorGetAssertion in first factor mode

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 13 Nov 2017 16:07:14 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-273484275-1510589232-sysbot+gh@w3.org>
emlun has just created a new issue for https://github.com/w3c/webauthn:

== Bug: getAssertion accidentally calls authenticatorGetAssertion in first factor mode ==
Step 16 of [ยง5.1.4.1][get] instructs to for each `authenticator`

1. Let `allowCredentialDescriptirList` be `options.allowCredentials` filtered to contain only the credentials bound to this `authenticator`.
2. If `allowCredentialDescriptorList` is empty, call `authenticatorGetAssertion` in first factor mode (i.e. with no `allowCredentialDescriptorList` argument)
3. If `allowCredentialDescriptorList` is not empty, call `authenticatorGetAssertion` in second factor mode (i.e. with a nonempty `allowCredentialDescriptorList` argument)

This means that if the RP sends `allowList: [{ type: "public-key", id: "AAAA" }]` and there is a 1st factor capable authenticator available which the client can identify as bound to the credential `BBBB` but not `AAAA`, the client will still call `authenticatorGetAssertion` on that authenticator with no `allowCredentialDescriptorList` argument. The authenticator will (with the user's consent) happily comply and return an assertion by credential `BBBB` instead of `AAAA`, and the RP will be confused.

Some possible solutions:

 1. Remove the filtering step from `getAssertion` completely and let the similar filtering step in [`authenticatorGetAssertion`][authnr-get] do all the work. This has the drawback that unnecessarily many bytes may be sent to external authenticators.
2. Move the 1st factor mode invocation branch to before filtering, and skip the authenticator completely if `options.allowCredentials` is nonempty and is known to not intersect with the credentials available on the authenticator.

[get]: https://w3c.github.io/webauthn/#discover-from-external-source
[authnr-get]: https://w3c.github.io/webauthn/#op-get-assertion

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/685 using your GitHub account
Received on Monday, 13 November 2017 16:07:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:44 UTC