Re: [webauthn] The risk of attacker may can identify whether if the account support FIDO or not (#1475) from Max Hata via GitHub on 2020-09-02 (public-webauthn@w3.org from September 2020)

From: Max Hata via GitHub <sysbot+gh@w3.org>
Date: Wed, 02 Sep 2020 04:40:12 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-685290876-1599021611-sysbot+gh@w3.org>

14.6.3. Privacy leak via credential IDs does discuss on the issue of exposing credentiaIds. But I do not think it is enough.

One of the most significant security consequences of exposing credentialIds is that it let attacker know which accounts are not FIDO/WebAuthn enabled yet and still using passwords only. This information will give better chance for attackers to succeed in their list based attacks for the legacy passwords only accounts as they can focus on the weaker accounts.

As I mentioned above, for consumer use cases, RPs cannot transition all accounts to FIDO/WebAuthn enabled ones right away and this vulnerability remains for a long time.

This is one of the serious design consideration for RPs to deploy FIDO/WebAuthn.

We should call upon this 'security' risk to RPs explicitly in the specification.

-- 
GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1475#issuecomment-685290876 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 2 September 2020 04:40:14 UTC