W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2018

Re: [webauthn] Security threat: Username enumeration

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Aug 2018 18:13:08 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-409670103-1533147187-sysbot+gh@w3.org>
The user ID is part of the signed assertion.   If it is generated by anyone other than the legitimate user it would be an invalid assertion as they would not have the correct key.

Any response to the Authenticating party happens above the level of WebAuthentication. 
The application typically returns a session cookie or an error. 

The application indicating if the account exists or not as part of an invalid authentication is outside the scope of WebAuthn.

The general W3C privacy guidelines should cover this.  
There is no protocol change required for first-factor authentication.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1014#issuecomment-409670103 using your GitHub account
Received on Wednesday, 1 August 2018 18:13:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:53 UTC