Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't exclude U2F credentals #1235

Closed
agl opened this issue Jun 12, 2019 · 5 comments · Fixed by #1244
Closed

Can't exclude U2F credentals #1235

agl opened this issue Jun 12, 2019 · 5 comments · Fixed by #1244
Assignees
@agl
Labels
stat:pr-open subtype:extensions type:technical
Milestone
L2-WD-02

Comments

@agl
Copy link
Contributor

agl commented Jun 12, 2019

There's no appid extension when making a credential. Therefore the excludeList, if any, is only excluding WebAuthn credentials. So sites doing the transition cannot exclude authenticators by U2F credential ID.

We could fix this in WebAuthn if we wished. From the call of 2019-06-12, it's not yet clear how people feel about it.
@sbweeden
Copy link
Contributor

Why would any actor (user, client, or RP) really care if the same authenticator was registered twice at a site - once with a u2f credential and another with webauthn?

@emlun
Copy link
Member

emlun commented Jun 13, 2019

You could end up in a situation where your account security settings page has "duplicates" in the sense that they are two credentials on the same authenticator. I believe if both are present in allowCredentials the WebAuthn credential would probably override the U2F one, judging by how the appid extension client processing is written. So probably the U2F authenticator would end up not being used.

Here's a rather contrived scenario leading to a security issue:

  1. Alice has been using authenticator A for a while, and has accidentally had it registered as both an AppID authenticator and an RP ID authenticator.
  2. Mallory gifts Alice a next-generation authenticator B. Alice now wants to retire authenticator A and use authenticator B instead.
  3. Alice registers authenticator B with an RP, then logs out and logs back in with authenticator A.
  4. On the security settings page, Alice sees that "Authenticator A" was used to log in "less than a minute ago" and pushes the button to delete that authenticator from her account.
  5. Confident that authenticator A can no longer be used to log in to her account, Alice gives authenticator A to Mallory.
  6. Mallory, having planned this all along, can now use authenticator A to access Alice's account (assuming Mallory has also obtained Alice's password) since it's still registered as a U2F authenticator.

I think this problem, and many others, is probably best solved by teaching good security hygiene. We should encourage RPs to allow (or even require) users to set nicknames for their credentials, and to periodically encourage users to review their security settings and clean out any credentials that haven't been used in a while. I'm not sure it's appropriate to include such guidance in the spec, though. That might be better suited for third-party documentation.

In any case, at least there won't be any issues with orphaned resident credentials since U2F doesn't support them. As soon as they're deleted from the server, they're also "deleted" from the authenticator.

@bdewater
Copy link

From an RP perspective: the user doesn't care much about, and probably doesn't even know, the difference between how their authenticator was registered. Ideally a migration is completely transparent to them and their U2F-registered credential should word just the same when the RP switches to WebAuthn (although some changes in browser UX may not be unavoidable, e.g. Chrome).

Double registration can be prevented in both U2F and WebAuthn, but in this migration scenario it breaks down and can cause confusion. It would be nice if this area was also fully backwards compatible/"just works".

I believe if both are present in allowCredentials the WebAuthn credential would probably override the U2F one, judging by how the appid extension client processing is written.

Based on some quick testing, Firefox 67 behaves this way. Chrome 74 seems to pick the first offered credential in allowCredentials, but this may be due to the AppID extension not working for me in Chrome and Safari.

@agl
Copy link
Contributor Author

agl commented Jun 17, 2019

but this may be due to the AppID extension not working for me in Chrome and Safari.

(If you have an issue in Chrome, please do file at crbug.com and point me at it. Something works with the appid extension in Chrome though because we moved accounts.google.com to it.)

@nadalin nadalin added this to the L2-WD-02 milestone Jun 19, 2019
@lgarron
Copy link
Contributor

lgarron commented Jun 19, 2019
edited

While working on webauthn support for github.com, I was thoroughly confused by the existing behaviour and thought I did something wrong (e.g. perhaps I converted key handles to credential IDs in a way that works only for some cases).

Although @emlun's scenario is somewhat contrived, I would strongly like to echo the importance of a transparent migration from U2F. We don't want users to have think about which of their security key registrations are U2F vs. webauthn. It could be very confusing if a duplicate registration for the "same" key works only sometimes, especially given that it might work the "first" time but not the following times.

Or rather, it could be misleading instead of confusing. Experiences with debugging issues during our webauthn transition suggest that discrepancies like this can really mess with someone's mental model.

Also, I'd like to note that some major sites (e.g. google.com during initial launch) do not support naming registered authenticator keys, making it difficult to tell if a particular key is already registered/which registration it is.

So, we'd really like to see the webauthn support this behaviour!

agl pushed a commit to agl/webauthn that referenced this issue Jun 24, 2019
Add “appidExclude” extension.
62a7b3b 
This change adds a registration-only “appidExclude” extension that
allows platforms to make excludeCredentials effective when transitioning
from U2F.

It's a separate extension from “appid” because that extension was
documented in level one as being authentication-only and some
implementations thus reject it for registration. Also, having an
“appid” extension that's effective during registration invites people to
believe that it does the “obvious” thing and allows the creation of U2F
credentials, which isn't true.

Fixes w3c#1235.
@agl agl mentioned this issue Jun 24, 2019
Merged
baloo pushed a commit to baloo/python-fido2 that referenced this issue Aug 9, 2019
implement FIDO AppID Exclusion Extension
01b931f 
introduced in the spec on 2019/07/31

see: w3c/webauthn#1244
see: w3c/webauthn#1235

Signed-off-by: Arthur Gautier <baloo@gandi.net>
@baloo baloo mentioned this issue Aug 9, 2019
Merged
baloo pushed a commit to baloo/python-fido2 that referenced this issue Aug 9, 2019
implement FIDO AppID Exclusion Extension
1630aa1 
introduced in the spec on 2019/07/31

see: w3c/webauthn#1244
see: w3c/webauthn#1235

Signed-off-by: Arthur Gautier <baloo@gandi.net>
@P4sca1 P4sca1 mentioned this issue Feb 10, 2020
Closed
@P4sca1 P4sca1 mentioned this issue May 25, 2020
Closed
@yaleman yaleman mentioned this issue Dec 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agl agl

Labels
stat:pr-open subtype:extensions type:technical
Projects
None yet
Milestone
L2-WD-02
Development

Successfully merging a pull request may close this issue.

Add “appidExclude” extension. agl/webauthn
6 participants
@agl @lgarron @bdewater @emlun @nadalin @sbweeden