Re: [webauthn] Privacy risk from revealing allowed credentials (#1246) from Emil Lundberg via GitHub on 2019-07-01 (public-webauthn@w3.org from July 2019)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 01 Jul 2019 13:40:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-507268983-1561988418-sysbot+gh@w3.org>

Thanks for pointing this out, we're aware of the issue but it hasn't been a high priority since we're not aware of much interest in using non-resident keys for 1st factor authentication.

I guess we could note in the suggestion of fake credential IDs that the same idea could be used to obfuscate a list containing real credential IDs as well. We could also propose using password authentication as a first step before the WebAuthn ceremony, but that would be a different use case than the one you're considering.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1246#issuecomment-507268983 using your GitHub account

Received on Monday, 1 July 2019 13:40:21 UTC