W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2020

Re: [webauthn] Why does credentialId need to be unique across all users? (#1403)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Tue, 07 Apr 2020 05:34:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-610183724-1586237658-sysbot+gh@w3.org>
Three reasons which quickly spring to mind: 

1. The statistical probability of a credential id repeating should be high enough that it is more likely something went wrong or that this is an attempt at an attack
2. Predictable credential IDs could be used to track a user across services, say a credential ID which is a combination of a device serial number and a monotonically-increasing counter.
3. The credential id is returned on getAssertion, and could be used as a global identifier on a particular website.

GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1403#issuecomment-610183724 using your GitHub account
Received on Tuesday, 7 April 2020 05:34:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC