search

google / webauthndemo

An example Node.js Relying Party implementation of the WebAuthn specification
https://try-webauthn.appspot.com
Apache License 2.0
563 stars 123 forks source link

Detect use of the same authenticator on a per user #37

Closed kasecato closed 6 years ago

kasecato commented 6 years ago

I implemented to detect duplicate registration of authenticator on a user basis when AttestationConveyancePreference is set and attestation statements are sent.

detect_converyance_pref_direct

cpiper commented 6 years ago

Hi,

Is there something in the spec that says it be necessary to prevent duplicate registrations based on the attestation statement? As far as I was aware, only the excludeCredentials options should prevent duplicate registrations.

Casey

kasecato commented 6 years ago

Hi @cpiper ,

That's true. I was totally misunderstanding reading this mozilla article.

Using an authenticator for one account is safe, but allowing a website to ask for extended information for multiple accounts using the same authenticator can permit that website to identify a link between those accounts. If you are concerned about having accounts linked together in this way, you should either deny extended information when prompted, or use different authenticators for the different accounts. https://support.mozilla.org/en-US/kb/privacy-web-authentication

Thanks