w3c / webappsec-credential-management

WebAppSec Credential Management
https://w3c.github.io/webappsec-credential-management/
Other
50 stars 38 forks source link

Dealing with failed logins #42

Open battre opened 7 years ago

battre commented 7 years ago

The spec does not give precise guidelines for dealing with failed logins.

Assume the following setup:

As a result of this, the user will be notified about a login attempt on every navigation that will always fail.

What should we do about this?

vabr-g commented 7 years ago

Just to clarify confusion, the above scenario assumes that the stored credentials do not match server expectations (are out of date).

The repeated failed auto-sign-in is only troublesome because the user keeps seeing the notification. If I read the spec correctly, the user agent is not forced to show that notification. While it is reasonable to do so (implied also by "the notification that credentials have been provided" in https://w3c.github.io/webappsec-credential-management/#privacy-signout), perhaps this still can be throttled by the user agent?

Following on that line of thought, the user agent might certainly analyse this strange behaviour and suggest the user to delete the stored credential. I don't think we should let the page to delete credentials via a new delete() call. Even if this requires user consent, users are often happy to click without reading; deleting a credential might cause loss of access (in different situations) and perhaps be used in some attacks to replace user's credentials with attacker-controlled ones (not going to try to come up with a complete attack now).

The suggestion with requireUserMediation() + get(..."unmediated": true) sounds reasonable to me.

Other than that, I think the spec does not need to specify a solution to the repeating notification problem, because it leaves enough space to the user agent to fix this without conflicting the spec.

battre commented 7 years ago

The spec says "User agents MUST notify users when credentials are provided to an origin." https://w3c.github.io/webappsec-credential-management/#user-mediation-requirements

vabr-g commented 7 years ago

Thanks, I missed that. I still think the spec allows the user agent to fix the endless loop of notifications on every navigation. For example, similar to the checkbox allowing to silence alert() calls by a page, the user agent could decide to set the origin's "require_user_mediation" flag to true if the notifications get spammy.