Re: [webauthn] Can't exclude U2F credentals (#1235)

You could end up in a situation where your account security settings page has "duplicates" in the sense that they are two credentials on the same authenticator. I believe if both are present in `allowCredentials` the WebAuthn credential would probably override the U2F one, judging by how the [`appid` extension][appid] client processing is written. So probably the U2F authenticator would end up not being used.

Here's a rather contrived scenario leading to a security issue:

1. Alice has been using authenticator A for a while, and has accidentally had it registered as both an AppID authenticator and an RP ID authenticator.
2. Mallory gifts Alice a next-generation authenticator B. Alice now wants to retire authenticator A and use authenticator B instead.
3. Alice registers authenticator B with an RP, then logs out and logs back in with authenticator A.
4. On the security settings page, Alice sees that "Authenticator A" was used to log in "less than a minute ago" and pushes the button to delete that authenticator from her account.
5. Confident that authenticator A can no longer be used to log in to her account, Alice gives authenticator A to Mallory.
6. Mallory, having planned this all along, can now use authenticator A to access Alice's account (assuming Mallory has also obtained Alice's password) since it's still registered as a U2F authenticator.

I think this problem, and many others, is probably best solved by teaching good security hygiene. We should encourage RPs to allow (or even require) users to set nicknames for their credentials, and to periodically encourage users to review their security settings and clean out any credentials that haven't been used in a while. I'm not sure it's appropriate to include such guidance in the spec, though. That might be better suited for third-party documentation.

In any case, at least there won't be any issues with orphaned resident credentials since U2F doesn't support them. As soon as they're deleted from the server, they're also "deleted" from the authenticator.


GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Thursday, 13 June 2019 10:28:51 UTC