- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 10 Aug 2018 16:08:16 +0000
- To: public-webauthn@w3.org
Thanks for bringing this up. I'd say there are three likely deployment scenarios:
1. **Two-factor authentication with password**
The user first logs in with a traditional password, and then performs a WebAuthn authentication ceremony to prove possession of a second factor. The WebAuthn ceremony is completely behind a traditional password authentication gateway, so username enumeration should not be an issue at this point.
2. **Multi-factor authentication without password and without username**
The user visits the login page and receives a WebAuthn challenge for any credential. Since the user does not provide a username to initiate this ceremony, username enumeration is not an issue.
3. **Single-factor authentication without password**
The user initiates a WebAuthn authentication ceremony by submitting their username, and the signed response from the authenticator is the only authentication factor used. **Username enumeration is a risk** in this deployment scenario, if the server returns an error for unknown usernames. I'll admit that Yubico's demo server does exactly that at this time, and analogously returns an error during registration if a username is taken. I don't think there's much you can do about the registration case, unless the username is an e-mail address in which case the server can just claim to have sent a follow-up e-mail regardless of whether the address is already registered.
I don't think (3) will be a rare deployment scenario, so I agree we should address this in the spec. At the very least as an implementation consideration, or possibly even as a new RP operations section outlining recommendations for how to structure data flow for initiating a ceremony.
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1014#issuecomment-412129724 using your GitHub account
Received on Friday, 10 August 2018 16:08:18 UTC