Re: [webauthn] Why does credentialId need to be unique across all users? (#1403)

Thanks for the responses! Seems it's not a requirement for the specification, but skipping the uniqueness check introduces the possibility of accidentally assigning the same credential to multiple users, potentially allowing them to impersonate each other. RPs should thus tread lightly if they decide to skip the uniqueness check across all users.

One more concern I had is related to authenticators that offload the storage of their private keys by encrypting them and using that as the credentialId. My initial thought was that if two independent authenticators using this technique somehow end up with the same credentialId, they might be able to impersonate eachother. However, I don't think this is true since they would each have their own private encryption key, and would thus interpret that credentialId differently.

-- 
GitHub Notification of comment by epheat
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1403#issuecomment-611095099 using your GitHub account

Received on Wednesday, 8 April 2020 17:40:53 UTC