[webauthn] Security threat: Username enumeration

SecureFrom has just created a new issue for https://github.com/w3c/webauthn:

== Security threat: Username enumeration ==
The draft webauthn specification doesn't appear to recognise username enumeration as a security consideration when in reality it is a significant issue when using webauthn as a first factor (passwordlesss) authentication mechanism.

Username enumeration is often overlooked by developers but actually it can have major ramifications for users and sites. Troy hunt explains it well in his blog:-
 * https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked

I note sites may be likely to use email addresses as usernames but even if they don't any usernames may still contain real world identities or other confidential identifying information.

I believe it's a important issues for the webauthn specification because:-
 * All implementations based solely on the current webauthn specification would be affected
 * All the demo's I found have this problem  (demonstrating it will likely be a common misstep)
 * Even when the risk is understood, mitigation would be difficult with the current protocol design

Recommendations:-
 1. Add User enumeration to the list of security and/or privacy considerations
 2. Change the registration and validation documentation to make clear sites should avoid this issue by not informing end users when usernames are not found in their database. It will be necessary for them to mock user public keys to prevent more sophisticated attackers from recognising the failed attempt.
 3. Consider amending the protocol to make it simpler for developers to do the right thing and not allow user enumeration. Currently developers would need to mock complex data structures to prevent unknown users being discerned from known users.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1014 using your GitHub account

Received on Thursday, 26 July 2018 00:09:33 UTC