Re: [webauthn] The risk of attacker may can identify whether if the account support FIDO or not (#1475)

This is similar to what's described in [14.6.3. Privacy leak via credential IDs](https://w3c.github.io/webauthn/#sctn-credential-id-privacy-leak), and the same countermeasures should apply here. Perhaps we should make a mention of this in the security considerations section, too, but it doesn't look like anything substantive needs to be added.

I don't agree that this also applies to the discoverable keys (username-less) use case, as the server then returns only a challenge to initiate the ceremony. If the server only supports username-less authentication, I don't see how this issue can occur. It remains if the server supports both discoverable and non-discoverable keys, though.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1475#issuecomment-684886512 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 1 September 2020 14:14:53 UTC