- From: Ackermann Yuriy via GitHub <sysbot+gh@w3.org>
- Date: Mon, 21 Nov 2022 10:53:04 +0000
- To: public-webauthn@w3.org
The credential is locked to the RPID id. RP can manipulate it within the scope of one eTLD example.com, login.example.com, very.long.sub.domain.example.com. The RPID is fundamental part of FIDO/Webauthn security. The private key is stored as a pair of CredID and RPID hash on the authenticator. > Wouldn't the website-specific challenge created during the login ceremony mitigate this risk? a MITM able to capture the signed message generated by the user during the login on www.good-website.com wouldn't be able to reuse it to login inside www.bad-website.com as the challenge to be signed is different. Yes, challenge is part of MITM. Origin/RPID are defending against phishing. > Also, given the state of the art of the standard, do you see any way to achieve a "unified login" user experience while preserving the security of the user? FIDO/WebAuthn solves authentication problem. For inter-domain authorization there are OIDC, and if you really have to SAML. Additionally you can do credential.get through iFrame, so login via iFrame. -- GitHub Notification of comment by herrjemand Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1827#issuecomment-1321865259 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 21 November 2022 10:53:10 UTC