Re: [webauthn] Cross-origin credential creation in iframes (#1656)

> .. what kind of attacks on FIDO/WebAuth become available with unethical issuers, merchants, and PSPs or in 3rd party contexts?

Given that passwordless authentication using FIDO is not widely implemented yet (if at all), its a little too soon to know what's possible, Rouslan (@rsolomakhin). For now, I envision mostly privacy related attacks on Consumers, where an unethical Issuer allows their RPID to be used (through a DNS sub-domain) by trackers, to violate Consumer privacy at sites that may have nothing to do with payments.  We really need passwordless FIDO to be deployed at scale before we can learn where gaps exist; with the exception of https://digitalbank-test.com and https://demo.strongkey.com, I haven't seen much of passwordless FIDO anywhere.

> .. and site B is in full control of the registration ceremony just like it would be with a full page redirect.

Unfortunately, its not a full page redirect, Emil (@emlun) - its an iframe that doesn't provide very much information to Consumers on which RP they're dealing with and what happens with whatever data Consumers provide in that iframe. We accepted this over the years for card payments, but with we're in a post-GDPR/CCPA era now where legal mandates have to be addressed by technical implementations. 

(Thank you for trying to clear it up - I wasn't under a misconception; perhaps I used the term "multi-party" a little loosely where I was implying that the Consumer _thinks_ they're dealing with site A, but in reality, they are dealing two sites, A and B, with site B operating in the iframe - for the vast majority of the internet - in the guise of site A).

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-892989302 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 4 August 2021 21:32:27 UTC