W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2020

Re: [webauthn] Why does credentialId need to be unique across all users? (#1403)

From: David Waite <dwaite@pingidentity.com>
Date: Wed, 8 Apr 2020 00:17:50 -0600
Message-ID: <CA+3kW=ZpLX-RwGig=kpiyE0u0RfLfAC1wRRcQVTYuXCg4bmnzA@mail.gmail.com>
To: Evan Heaton via GitHub <sysbot+gh@w3.org>
Cc: W3C Web Authn WG <public-webauthn@w3.org>
Many RPs do look up by user handle. However, allowing the same credential
ID to be registered multiple times is ignoring a security issue.
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
David Waite
Principal Technical Architect, CTO Office
dwaite@pingidentity.com
w: 303 468 2855
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ>
<https://www.pingidentity.com/en/events/d/identify-2019.html>
<https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf>
<https://www.pingidentity.com/en/events/e/rsa.html>
<https://www.pingidentity.com/en/events/e/rsa.html>
<https://www.pingidentity.com/en/lp/e/enabling-work-from-home-with-MFA.html>
*If you’re not a current customer, click here
<https://www.pingidentity.com/en/lp/e/work-from-home-sso-mfa.html?utm_source=Email&utm_campaign=WF-COVID19-New-EMSIG>
for
a more relevant offer.*


On Tue, Apr 7, 2020 at 11:13 AM Evan Heaton via GitHub <sysbot+gh@w3.org>
wrote:

> Even in the case of resident keys, won't the authenticator return the
> selected user handle alongside the assertion? Then, based on that received
> user handle the RP could look up just the credentials for that user, find
> the match for credentialId (since it would be unique within the scope of
> that user), and continue with the assertion verification.
>
> --
> GitHub Notification of comment by epheat
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/issues/1403#issuecomment-610511460 using
> your GitHub account
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
Received on Wednesday, 8 April 2020 06:18:16 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC