Security threat: Username enumeration

Hi, I raised this last night on Github but wasn't sure if it was the right
forum so also raising it here for discussion.

https://github.com/w3c/webauthn/issues/1014

---

The draft webauthn specification doesn't appear to recognise username
enumeration as a security consideration when in reality it is a significant
issue when using webauthn as a first factor (passwordlesss) authentication
mechanism.

Username enumeration is often overlooked by developers but actually it can
have major ramifications for users and sites. Troy hunt explains it well in
his blog:-

https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked
I note sites may be likely to use email addresses as usernames but even if
they don't any usernames may still contain real world identities or other
confidential identifying information.

I believe it's a important issues for the webauthn specification because:-

All implementations based solely on the current webauthn specification
would be affected
All the demo's I found have this problem (demonstrating it will likely be a
common misstep)
Even when the risk is understood, mitigation would be difficult with the
current protocol design
Recommendations:-

Add User enumeration to the list of security and/or privacy considerations
Change the registration and validation documentation to make clear sites
should avoid this issue by not informing end users when usernames are not
found in their database. It will be necessary for them to mock user public
keys to prevent more sophisticated attackers from recognising the failed
attempt.
Consider amending the protocol to make it simpler for developers to do the
right thing and not allow user enumeration. Currently developers would need
to mock complex data structures to prevent unknown users being discerned
from known users.

Received on Thursday, 26 July 2018 14:17:41 UTC