Re: [webauthn] The risk of attacker may can identify whether if the account support FIDO or not (#1475)

This is similar to what's described in [14.6.3. Privacy leak via credential IDs](, and the same countermeasures should apply here. Perhaps we should make a mention of this in the security considerations section, too, but it doesn't look like anything substantive needs to be added.

I don't agree that this also applies to the discoverable keys (username-less) use case, as the server then returns only a challenge to initiate the ceremony. If the server only supports username-less authentication, I don't see how this issue can occur. It remains if the server supports both discoverable and non-discoverable keys, though.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 1 September 2020 14:14:53 UTC