futureimperfect
commented
5 years ago Hi @bortels,
Thanks for providing this feedback. It's something I've thought about, and I also know has been a general concern with WebAuthn when credential IDs are revealed when a valid username is provided.
I'll think about this some more and come up with a plan.
Thanks again!
nickmooney
The behavior on login is different depending on if the user exists (you are prompted to activate the device) versus does not exist (you are told so). This would allow an attacker to test candidate users to find if they have a registered device, and perhaps then target that user. (I know "Bob Smith" works for such-and-so, and "bsmith" is a valid name, time to steal his keyring with his fido2 device at lunch). It's a stretch, but it's probably best if the authentication pretends the username is valid no matter what, and gives the same response to both scenarios, so attackers can't use account validity as a filter.