- From: Keiko Itakura via GitHub <sysbot+gh@w3.org>
- Date: Fri, 28 Aug 2020 03:39:43 +0000
- To: public-webauthn@w3.org
keikoit has just created a new issue for https://github.com/w3c/webauthn: == The risk of attacker may can identify whether if the account support FIDO or not == Hi this is Keiko Itakura from Rakuten which is member of both W3C and FIDO Alliance Japan. I'm now discussing the following security risk in WebAuthn at FIDO Japan working group. May I ask the thought of W3C and schedule if you have plan to mention about this in the WebAuthn specification? - The risk of attacker may can identify whether if the account support FIDO or not There is a possibility the CredentialID/Username pair is exposed in the case of NRK(Non resident key) . For example, if an attacker sends Usernames that can guess e-mail addresses, etc. to the RP, seeing the replies from the RP servers for each, and if a CredentialID-like thing is returned, it can be determined that the account is FIDO supported. The reply is different from the case where FIDO is not supported. If attacker use this point, they can distinguish the FIDO account and the unsupported account. If they use this, they can see that unsupported ones have weak security and are easy to attack. How do you think and how to address for this problem? Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1475 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 28 August 2020 03:39:45 UTC