Re: [webauthn] Why does credentialId need to be unique across all users? (#1403) from David Waite via GitHub on 2020-04-07 (public-webauthn@w3.org from April 2020)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Tue, 07 Apr 2020 05:34:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-610183724-1586237658-sysbot+gh@w3.org>

Three reasons which quickly spring to mind: 

1. The statistical probability of a credential id repeating should be high enough that it is more likely something went wrong or that this is an attempt at an attack
2. Predictable credential IDs could be used to track a user across services, say a credential ID which is a combination of a device serial number and a monotonically-increasing counter.
3. The credential id is returned on getAssertion, and could be used as a global identifier on a particular website.


-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1403#issuecomment-610183724 using your GitHub account

Received on Tuesday, 7 April 2020 05:34:22 UTC