Pravesh,
The goal of allowCredentials is to make it easier for the user to
authenticate, and faster for the RP to determine which public-key to use
to verify a signed challenge during the authentication phase:
- User comes to login page
- User types in username
- RP retrieves credentialIds and sends it in allowCredentials
- Authenticators with the right credentialId "light up"
- User responds with TUP or UV
- Challenge is signed and returned
- RP uses public-key to verify response
- User is authenticated
If some attacker is trying to figure out if a specific username is (or
random usernames are) registered with the RP, the FIDO server can send
back a random credentialId and challenge to thwart the attacker.
Open-source FIDO servers
(
https://sourceforge.net/projects/strongkeyfido/) are capable of
generating tens of thousands (or even millions) of random credentialIds
with public-keys that can never be verified to a real credentialId
regardless of how diligent the attacker is. (If you are NOT paying a
license fee per credentialId for a FIDO server, does it matter how many
unverifiable credentialIds you can store in a distinct FIDO server to
waste the attacker's time?)
If the attacker does not have an Authenticator that can match up with a
valid credentialId, he is NEVER going to respond successfully to a
challenge. So, whether the attacker learns that a specific username is
registered or not with the RP, how does it help the attacker compromise
the account?
Besides, with 35K publicly disclosed data breaches and 17.7B breached
records (
https://privacyrights.org/data-breaches), what is private
anymore? As long as the user has their private key in a Security Key,
there is some assurance of security (to the extent you can trust the
Security Key).
With synchronized passkeys in the cloud, the RP has already chosen to
break the FIDO privacy guarantee to the user (and potentially, the
security of the user's private-key) by allowing the
passkey-service-provider to store the key-pair in the cloud. With IBM
and an HBR article claiming that 80% of all data breaches in 2023
originated in the cloud
(
https://hbr.org/2024/02/why-data-breaches-spiked-in-2023), the
probability of a compromised credential is higher than with a known
credentialId in a Security Key under the control of the user.
Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
fido-dev+u...@fidoalliance.org
> <mailto:
fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
>
https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ac90badf-778a-4f0a-9b5f-065a5a59c04fn%40fidoalliance.org <
https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ac90badf-778a-4f0a-9b5f-065a5a59c04fn%40fidoalliance.org?utm_medium=email&utm_source=footer>.