- From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
- Date: Wed, 03 Jul 2024 15:36:06 +0000
- To: public-webauthn@w3.org
Thanks for the thoughtful reply! >the same password would result in the same credential ID for different users I wonder if you did not misunderstand the credential ID construction; the password is not part of it at all. Rather, most of the credential ID is just a randomly generated salt, so with 32 randomly generated bytes, I would indeed expect all credential IDs to be different. Since the public key (that the server stores) is only derived from the salt, RPID and password, however, a malicious server could certainly bruteforce the user's password over time, but I believe this is intrinsic to any possible authentication protocol based on passwords alone (if a system can validate a password for login, then of course it can also bruteforce it). I don't think a third party would be able to do that, however. >So any way you twist it, the problem is that there just isn't enough entropy in most human-chosen passwords Naturally, this is the problem of any authentication scheme involving passwords only. My main point is that there are many situations where it is impractical to use any other factor than a password alone, and specifically *in such situations*, for the reasons I started out with, WebAuthn would significantly alleviate (even if certainly not eliminate) many of the problems of password-only authentication. --- As for `hash_to_field`, thank you very much for the link. I had tried finding prior art for deriving EC keys from passwords, but was unable to find any. However, while I haven't read and understood RFC 9380 fully yet, it does not necessarily sound as though it generates an ECDSA private key. It's not immediately obvious to me what the output of `hash_to_field` is when applied to the right parameters, but the abstract talks about generating *points* on an elliptic curve, whereas a private ECDSA key is just a scalar. I'll continue reading it, though. -- GitHub Notification of comment by dolda2000 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2091#issuecomment-2206588367 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 3 July 2024 15:36:08 UTC