New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't exclude U2F credentals #1235
Comments
Why would any actor (user, client, or RP) really care if the same authenticator was registered twice at a site - once with a u2f credential and another with webauthn? |
You could end up in a situation where your account security settings page has "duplicates" in the sense that they are two credentials on the same authenticator. I believe if both are present in Here's a rather contrived scenario leading to a security issue:
I think this problem, and many others, is probably best solved by teaching good security hygiene. We should encourage RPs to allow (or even require) users to set nicknames for their credentials, and to periodically encourage users to review their security settings and clean out any credentials that haven't been used in a while. I'm not sure it's appropriate to include such guidance in the spec, though. That might be better suited for third-party documentation. In any case, at least there won't be any issues with orphaned resident credentials since U2F doesn't support them. As soon as they're deleted from the server, they're also "deleted" from the authenticator. |
From an RP perspective: the user doesn't care much about, and probably doesn't even know, the difference between how their authenticator was registered. Ideally a migration is completely transparent to them and their U2F-registered credential should word just the same when the RP switches to WebAuthn (although some changes in browser UX may not be unavoidable, e.g. Chrome). Double registration can be prevented in both U2F and WebAuthn, but in this migration scenario it breaks down and can cause confusion. It would be nice if this area was also fully backwards compatible/"just works".
Based on some quick testing, Firefox 67 behaves this way. Chrome 74 seems to pick the first offered credential in |
(If you have an issue in Chrome, please do file at crbug.com and point me at it. Something works with the appid extension in Chrome though because we moved accounts.google.com to it.) |
While working on webauthn support for github.com, I was thoroughly confused by the existing behaviour and thought I did something wrong (e.g. perhaps I converted key handles to credential IDs in a way that works only for some cases). Although @emlun's scenario is somewhat contrived, I would strongly like to echo the importance of a transparent migration from U2F. We don't want users to have think about which of their security key registrations are U2F vs. webauthn. It could be very confusing if a duplicate registration for the "same" key works only sometimes, especially given that it might work the "first" time but not the following times. Or rather, it could be misleading instead of confusing. Experiences with debugging issues during our webauthn transition suggest that discrepancies like this can really mess with someone's mental model. Also, I'd like to note that some major sites (e.g. google.com during initial launch) do not support naming registered authenticator keys, making it difficult to tell if a particular key is already registered/which registration it is. So, we'd really like to see the webauthn support this behaviour! |
This change adds a registration-only “appidExclude” extension that allows platforms to make excludeCredentials effective when transitioning from U2F. It's a separate extension from “appid” because that extension was documented in level one as being authentication-only and some implementations thus reject it for registration. Also, having an “appid” extension that's effective during registration invites people to believe that it does the “obvious” thing and allows the creation of U2F credentials, which isn't true. Fixes w3c#1235.
introduced in the spec on 2019/07/31 see: w3c/webauthn#1244 see: w3c/webauthn#1235 Signed-off-by: Arthur Gautier <baloo@gandi.net>
introduced in the spec on 2019/07/31 see: w3c/webauthn#1244 see: w3c/webauthn#1235 Signed-off-by: Arthur Gautier <baloo@gandi.net>
There's no
appid
extension when making a credential. Therefore the excludeList, if any, is only excluding WebAuthn credentials. So sites doing the transition cannot exclude authenticators by U2F credential ID.We could fix this in WebAuthn if we wished. From the call of 2019-06-12, it's not yet clear how people feel about it.
The text was updated successfully, but these errors were encountered: