Re: [webauthn] Plumb User ID through

> Edit: The above was wrong: exporting the user ID with the assertionresponse allows someone with physical access to the authenticator to turn an RP ID into a user ID. That's the risk that needs to be highlighted in the privacy considerations section.

We only want the user id for the single factor use case (i.e., resident keys).  In such a use case, the attacker has to convince the authenticator that it's the legit user -- so know the right PIN or get the device to cough up the assertion.  Once the assertion is coughed up -- even if there is no user id -- the attacker can just give it to the RP and not only know the user id but actually see the user data...  So IMHO, this is not too much of a concern.  WDYT?

-- 
GitHub Notification of comment by leshi
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/558#issuecomment-329592200 using your GitHub account

Received on Thursday, 14 September 2017 19:59:16 UTC