New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add to sec cons a brief discussion of the sec properties accrued by authnr & client platform proximity #1257
Comments
I don't think the main concern is spatial proximity, but rather that the communication with the authenticator must be mediated by the user's client so that it can enforce origin restrictions. The example brought up on yesterday's WG call was using network-based transports to communicate with the authenticator, much like using a mobile push notification as 2nd factor. Consider an authentication flow like this:
This architecture is vulnerable to phishing:
I'm guessing browser extensions like Krypton can get around this during installation by setting up a long-lived session between the extension and Krypton's server, so that their server can refuse to send the push notification if initiated from anywhere else than the user's registered browser, so that the browser can enforce the origin restrictions. |
I'm definitely curious to hear if folks feel that proximity is a factor that provides phishing resistance properties. I've heard that reasoning more than once, but I'm not sure I understand the claim. The architecture @emlun describes above is definitely vulnerable to phishing. I would assume that, in the case of a network-based transport, the WebAuthn client would still be required to do the domain checking that it does with the other transports. In my mind the browser would still act as the client in such a case, rather than push notifications being triggered by the RP. Concerns about phishing can be mitigated by some sort of channel binding between the browser and the authenticator, or by placing trust in the cloud service that manages the push notifications. Both approaches have their own advantages and drawbacks. |
@emlun's analysis of the phishability of the architecture outlined in his #1257 (comment) seems overall correct (on quick skim) The original thrust of this issue is "authnr & client platform proximity" which is a not-so-clear way to say "authnr & client secure channel establishment via a non-MITM-able non-evesdropable channel, e.g., one requiring physical proximity, eg the authnr scanning a local-client-displayed QR code containing iniital key seeds/shares, or, the client and authnr communicating over physical USB connection (and sharing keys), or over NFC (and sharing keys)." I.e., this is how caBLE's handshake's security guarantees are established. |
…uthnr & client platform proximity (#1333) * Add security consideration on client-authnr direct communication See issue #1257 #1257 * Address @equalsJeffH's review comments * Add missing CSS class .figure-num-previous * Rewrite proximity section shorter and discuss benefits of physical proximity * Add commas suggested by @agl Co-Authored-By: Adam Langley <agl@google.com> Co-authored-by: Adam Langley <agl@imperialviolet.org>
Add to sec cons a brief discussion of the sec properties accrued by authnr & client platform proximity
The text was updated successfully, but these errors were encountered: