W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? (#1484)

From: Jun Hayakawa via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Sep 2020 15:55:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-693499739-1600271718-sysbot+gh@w3.org>
I believe RK is simpler and more secure.

For example, if we want to use a platform authenticator instead of a password, but RK is not available, we need to consider the following mitigation measures.
[14.6.2. Username Enumeration ](https://w3c.github.io/webauthn/#sctn-username-enumeration)

At a minimum, the following NOTES should be considered.

> Note: If returned imaginary values noticeably differ from actual ones, clever attackers may be able to discern them and thus be able to test for existence Examples of noticeably different values include if the values are always the same for all username inputs, or are different in repeated attempts with the same username input. The allowCredentials member could therefore be populated with pseudo-random values derived deterministically from the username, for example.

In addition, in a real-world use case we need to consider the following
- Length of credential ID. Depends on the type of authenticator and vendor.
- Number of credential IDs. A user may have more than one authenticator registered.

Since these are dependent on user usage, it is difficult to consider the appropriate logic.

GitHub Notification of comment by j-hayakawa
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1484#issuecomment-693499739 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 16 September 2020 15:55:21 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:41 UTC