Re: [webauthn] The risk of attacker may can identify whether if the account support FIDO or not (#1475)

14.6.3. Privacy leak via credential IDs does discuss on the issue of exposing credentiaIds. But I do not think it is enough.

One of the most significant security consequences of exposing credentialIds is that it let attacker know which accounts are not FIDO/WebAuthn enabled yet and still using passwords only. This information will give better chance for attackers to succeed in their list based attacks for the legacy passwords only accounts as they can focus on the weaker accounts.

As I mentioned above, for consumer use cases, RPs cannot transition all accounts to FIDO/WebAuthn enabled ones right away and this vulnerability remains for a long time.

This is one of the serious design consideration for RPs to deploy FIDO/WebAuthn.

We should call upon this 'security' risk to RPs explicitly in the specification.

GitHub Notification of comment by maxhata
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 2 September 2020 04:40:14 UTC