[webauthn] Leap of Faith not only for Self and None Attestation Types

milesstoetzner has just created a new issue for https://github.com/w3c/webauthn:

== Leap of Faith not only for Self and None Attestation Types ==
Do the [Considerations for Self and None Attestation Types](https://www.w3.org/TR/webauthn/#sctn-no-attestation-security-attestation) also apply for any kind of attestation type?

Lets assume that there is a man-in-the-middle (MiM) who owns the same authenticator as the user or any authenticator that is accepted by the Relying Party. The attacker could simulate that a user is present or that a user is verified - for example by a device touching a button or entering a PIN on the attackers authenticator (this is not bypssing test of user presence or user verification). Therefore the attacker can automatically perform registrations (using any attestation type) and authentications.

During Registration the MiM replaces the attestationObject, that had been generated by the users authenticator, with the attestationObject, that had been generated by the attackers authenticator using the mentioned device.

The Relying Party can not detect the attack. Therefore we are in the same situation as if we would have used Self or None Attestation: leap of faith.

Two considerations: 
- The Relying Party could restrict the allowed AAGUIDs. But I think we can assume that if a user can buy an accepted authenticator, the attacker can also buy one.
- The Relying Party could only accept biometric user verification. But I think we can ignore this case since the Relying Party cant detect this without using optional extensions.
- I know that this attack is even more difficult than the one mentioned in the specification which is already declared as difficult and as easy to detect.

What do you think about that? 

I hope this is not a repost. I could not find anything about that.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1088 using your GitHub account

Received on Friday, 28 September 2018 17:30:18 UTC