- From: David Waite <dwaite@pingidentity.com>
- Date: Wed, 8 Apr 2020 00:17:50 -0600
- To: Evan Heaton via GitHub <sysbot+gh@w3.org>
- Cc: W3C Web Authn WG <public-webauthn@w3.org>
- Message-ID: <CA+3kW=ZpLX-RwGig=kpiyE0u0RfLfAC1wRRcQVTYuXCg4bmnzA@mail.gmail.com>
Many RPs do look up by user handle. However, allowing the same credential ID to be registered multiple times is ignoring a security issue. <https://www.pingidentity.com>[image: Ping Identity] <https://www.pingidentity.com> David Waite Principal Technical Architect, CTO Office dwaite@pingidentity.com w: 303 468 2855 Connect with us: [image: Glassdoor logo] <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [image: LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter logo] <https://twitter.com/pingidentity> [image: facebook logo] <https://www.facebook.com/pingidentitypage> [image: youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image: Blog logo] <https://www.pingidentity.com/en/blog.html> <https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ> <https://www.pingidentity.com/en/events/d/identify-2019.html> <https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf> <https://www.pingidentity.com/en/events/e/rsa.html> <https://www.pingidentity.com/en/events/e/rsa.html> <https://www.pingidentity.com/en/lp/e/enabling-work-from-home-with-MFA.html> *If you’re not a current customer, click here <https://www.pingidentity.com/en/lp/e/work-from-home-sso-mfa.html?utm_source=Email&utm_campaign=WF-COVID19-New-EMSIG> for a more relevant offer.* On Tue, Apr 7, 2020 at 11:13 AM Evan Heaton via GitHub <sysbot+gh@w3.org> wrote: > Even in the case of resident keys, won't the authenticator return the > selected user handle alongside the assertion? Then, based on that received > user handle the RP could look up just the credentials for that user, find > the match for credentialId (since it would be unique within the scope of > that user), and continue with the assertion verification. > > -- > GitHub Notification of comment by epheat > Please view or discuss this issue at > https://github.com/w3c/webauthn/issues/1403#issuecomment-610511460 using > your GitHub account > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
Received on Wednesday, 8 April 2020 06:18:16 UTC