Re: [webauthn] The risk of attacker may can identify whether if the account support FIDO or not (#1475)

WebAuthn Level 2 spec has articulated the issue relating to exposing credenantialIds from a privacy perspective. It is an important aspect. But equally serious is that exposing credentialIds will help attackers identify  which usernames/accounts are not protected by FIDO and still using passwords for a service that uses mixed legacy passwords and FIDO. Knowing this, attackers will improve their success rate of their list based attacks.

For a consumer service provided by an RP, transitioning from legacy password based authentication to FIDO cannot happen over a night. Many services will depend on user's opt-in to transition from passwords to FIDO. Therefore, mixed use of passwords and FIDO will continue for a certain period. 

As such, RPs need to implement some counter measures, such as those described above, to prevent this kind of opportunities for attackers (How effective they can be, how much complex work RP will have to do, and how it will affect usability for consumers will still need to be investigated). 

This is not a privacy issue but a security issue. I think WebAuthn spec should articulate this from a security perspective and suggest RPs to implement certain mechanisms to prevent this from happening depending on their policies.

-- 
GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1475#issuecomment-682418473 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 28 August 2020 09:09:09 UTC