Re: [webauthn] Why not email/username as user.id / user handle? (#1763) from Emil Lundberg via GitHub on 2022-07-06 (public-webauthn@w3.org from July 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2022 13:04:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1176197715-1657112662-sysbot+gh@w3.org>

The text in question was added in PR #1041 which was motivated by issue #578. It's more to do with not revealing the identity of an authenticator's owner without authentication, for example if a security key is stolen or dropped on the street. Authenticators are required to keep `name` and `displayName` secret unless they've authenticated the user, but may reveal the user handle without authentication.

As a concrete example, [CTAP 2.0](https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetAssertion) reveals user handles without authentication when called with empty `allowCredentials`. This is also the default in CTAP 2.1, but many client platforms now set the [`credProtect` extension](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-credProtect-extension) to keep credential existence secret unless the user passes user verification or the caller already knows the credential ID.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1763#issuecomment-1176197715 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 6 July 2022 13:04:30 UTC