Re: [webauthn] The risk of attacker may can identify whether if the account support FIDO or not (#1475) from Ki-Eun Shin via GitHub on 2020-08-28 (public-webauthn@w3.org from August 2020)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Fri, 28 Aug 2020 03:58:39 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-682311277-1598587118-sysbot+gh@w3.org>

It might depend on how RP handles such NRK authentication request. 

- Ideally, RP might simply return randomly generated credential id which makes the attacker harder to distinguish
- RP might introduce reCAPTCHA or something to block automated try (brute force)
- To slow down the attacker's attempts, RP might introduce rate limiting (exponentially increasing timeout)
- RP might leverage NRK just for step-up authentication

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1475#issuecomment-682311277 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 28 August 2020 03:58:41 UTC