Re: [webauthn] The risk of attacker may can identify whether if the account support FIDO or not (#1475) from Emil Lundberg via GitHub on 2020-09-01 (public-webauthn@w3.org from September 2020)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 01 Sep 2020 14:14:51 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-684886512-1598969690-sysbot+gh@w3.org>

This is similar to what's described in [14.6.3. Privacy leak via credential IDs](https://w3c.github.io/webauthn/#sctn-credential-id-privacy-leak), and the same countermeasures should apply here. Perhaps we should make a mention of this in the security considerations section, too, but it doesn't look like anything substantive needs to be added.

I don't agree that this also applies to the discoverable keys (username-less) use case, as the server then returns only a challenge to initiate the ceremony. If the server only supports username-less authentication, I don't see how this issue can occur. It remains if the server supports both discoverable and non-discoverable keys, though.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1475#issuecomment-684886512 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 1 September 2020 14:14:53 UTC