Plumb User ID through #558
Conversation
We need to plumb the custom user id that the RP gave the authenticator during MakeCredential back through to the RP when doing getAssertion.
|
So the Privacy considerations section should be a statement about the issue of sharing PII with someone you were not expecting |
|
Edit: The above was wrong: exporting the user ID with the assertionresponse allows someone with physical access to the authenticator to turn an RP ID into a user ID. That's the risk that needs to be highlighted in the privacy considerations section. |
|
On 09/13/2017 01:35 PM, Anthony Nadalin wrote:
So the Privacy considerations section should be a statement about the issue of sharing PII with someone you were not expecting
also the risk of sharing PII with someone who might not want to receive
it/expect it to be in that field.
|
We only want the user id for the single factor use case (i.e., resident keys). In such a use case, the attacker has to convince the authenticator that it's the legit user -- so know the right PIN or get the device to cough up the assertion. Once the assertion is coughed up -- even if there is no user id -- the attacker can just give it to the RP and not only know the user id but actually see the user data... So IMHO, this is not too much of a concern. WDYT? |
|
Why is the user ID necessary for getAssertion? Even for the single factor use case, isn't it possible for the RP to identify the user from only the credential ID even with no allowCredentials? For example:
Shouldn't that work? |
|
It's a bad idea to have some external system with limited context responsible for generating unique indices for a database. We really need to key off something we control, not the authenticator. |
|
That does sound like a very valid point. |
I agree in the single-factor use case. I don't see anything in the patch that limits the privacy leak to the single-factor case. Am I missing something, or should we explicitly say that the authenticator shouldn't release the user ID when, e.g., it's been passed a credential ID? |
|
Sure. But only the actual RP will get it back, and if you have the credential ID (and can masquerade as the RP) you already have the corresponding account, right? Do we really need to limit this? |
|
@christiaanbrand Anyone with physical access to the authenticator can pretend to be any RP, and if they can also convince the authenticator that they're the user (trivial for second-factor authenticators), they can get the user ID for that RP out. I'm not certain that's a leak we should worry about, but we should decide whether to worry about it, and we should probably mention it in the privacy considerations section anyway. |
|
Credential IDs are not guaranteed unique in any way. Unless I missed something in the specs, it is perfectly valid to store all data locally and return a single byte key index. This has a lot of consequences that are not currently handled, especially in the RP assertion validation algorithm:
It also makes returning the User ID a necessity as you would have potentially thousands (millions) of accounts with this Credential ID for first factor scenarios. In any case, the specs assume Credential ID collisions are at least unlikely. It might be easier to add a few requirements to promote that than try to handle all the issues. I've raised an issue for this in the FIDO group. Should I raise one here too? |
|
Thanks, Johan! I believe that on the last W3C call (https://www.w3.org/2017/09/20-webauthn-minutes.html), we have agreement to plumb userid through -- which will hopefully solve all the aforementioned problems. Jeff is taking it on himself to review the PR meanwhile. |
|
@emlun: No, this will not make existing U2F devices incompatible. You are correct that existing U2F devices cannot store user ID so for U2F devices, This is similar to scenario where AAGUID is not being present in User ID is an hint for the RP's for lookup in their databases. User ID is not included in the signature itself. Its an extra information. |
|
@akshayku so it looks like this is ready to merge so that we can also merge https://github.com/fido-alliance/fido-2-specs/pull/300 |
|
@akshayku Ah yes, if it's optional then that's fine; I got the impression it would be a required output. But then again, if it's optional then RPs cannot in general rely on it being available. In that case I feel like it might be better to push this into an extension, and reserve the core for the parts that must always be present. |
|
This will be required for FIDO 2 devices. For U2F, we have a compatibility story as we anyway have to convert U2F assertion response to FIDO 2 response. And this is not part of the signature so can't be part of the extension. |
|
Not in the authenticator data as an authenticator extension, indeed, but couldn't it be returned as a client extension? Either way there's still the fact that it won't be available from all authenticators, regardless of whether or not it's required for FIDO 2 devices. RPs will still need to handle it not being available, so making it "required" seems rather moot. |
|
Why can this not be required for all resident-credential FIDO2 authenticators? Remember this whole deal is only about resident-credentials. If it's a U2F-type authenticator (even in FIDO2 land) none of this stuff is required. As Jeffrey mentioned yesterday, it should explicitly not be present if the keypair is being used as a second factor. |
|
Just for completeness. I approve this merge, with the understanding that Jeffrey @jyasskin will write up some language which says authenticators should never return userid (or any account info for that matter) when a signature was requested using a CredentialID [this means it's being used as a second factor]. See issue #720 |
|
@christiaanbrand or @jyasskin please merge |
Ah, those pieces of context had gone right over my head. In that case it makes sense. Sorry for making a fuss. |
index.bs
Outdated
| @@ -1721,6 +1725,7 @@ On successful completion, the authenticator returns to the user agent: | |||
| - The identifier of the credential (credential ID) used to generate the [=assertion signature=]. | |||
| - The [=authenticator data=] used to generate the [=assertion signature=]. | |||
| - The [=assertion signature=]. | |||
| - The user id associated with the credential used to generate the [=assertion signature=]. | |||
There was a problem hiding this comment.
Whatever name is chosen, use it here too.
|
TODO: Change names to not contain the word userid. It's confusing. |
|
How to folks feel about the term "user handle". I've already updated the PR. |
|
Looks fine to me. |
There was a problem hiding this comment.
I agree "user handle" seems like a good term. I suggest also updating §4.4 from
Its value’s id member is required, and contains an identifier for the account, specified by the Relying Party.
to
Its value’s id member is required, and contains the user handle for the account, specified by the Relying Party.
Perhaps also add it to the glossary?
|
Fine with me. |
As stated in #558 (comment) and #558 (comment) the user handle should not be returned when operating in 2nd factor mode (i.e., when given a non-empty `allowCredentials` list).
We need to plumb the custom user id that the RP gave the authenticator during MakeCredential back through to the RP when doing getAssertion.
Closes #556
Preview | Diff