- From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
- Date: Sat, 06 Jul 2024 00:49:27 +0000
- To: public-webauthn@w3.org
>You could also brute-force a `(credential-ID, signature)` pair Yes, I also realized that last night, along with the fact that an attacker could choose the salt for a victim, and have precomputed dictionaries for that salt. And most damning of all, that actually makes phishing attacks attractive for an attacker. That realization dampened my enthusiasm for the whole thing a fair bit. >But perhaps some [PAKE](https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/)-based approach My intention was to cram something almost as good as a PAKE into the existing framework that WebAuthn provides, but given the above, it is clear to me that it isn't almost as good as a PAKE, so yes, I agree. Thanks for humoring me! -- GitHub Notification of comment by dolda2000 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2091#issuecomment-2211547261 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 6 July 2024 00:49:28 UTC