Add a method to get the count of the credentials for a rely party on the client device to support the rely party (website) to limit the number of accounts a user can register #2222
Comments
I don't entirely understand what is being requested here. Limiting new account creation to dissuade one user from registering multiple accounts is a problem for the RP whether it uses passwords+2FA or passkeys. Passkeys aren't really a good means for achieving this.
This sounds like credential enumeration, which is frowned upon in the WebAuthn space for how easily it can be abused by bad actors. |
|
Hi, thank you for your answers.
I use pure passkeys to let users register on my site, and hope passkeys can be good at limiting the number of the accounts a user can register.
Yes, I mean credential enumeration. I think as a rely party can only get its own credentials, this will not cause bad problems. Do you think so?
…________________________________
发件人: Matthew Miller ***@***.***>
发送时间: 2024年12月27日 8:56
收件人: w3c/webauthn ***@***.***>
抄送: bigradish ***@***.***>; Author ***@***.***>
主题: Re: [w3c/webauthn] Add a method to get all the credentials for a rely party on the client device to support the rely party (website) to limit the number of accounts a user can register (Issue #2222)
It is very easy for a user to register many accounts on a website which using webauthn, but it seems that there is no an easy way to limit this capability of the user, for it is not easy to identify the user or the authenticator...when the user is registering.
I don't entirely understand what is being requested here. Limiting new account creation to dissuade one user from registering multiple accounts is a problem for the RP whether it uses passwords+2FA or passkeys. Passkeys aren't really a good means for achieving this.
If there is a method that can get all the credentials for a rely party on the client device, the rely party (website) can easily limit the number of accounts a user can register using the client device.
This sounds like credential enumeration, which is frowned upon in the WebAuthn space for how easily it can be abused by bad actors.
―
Reply to this email directly, view it on GitHub<#2222 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBYBYLUQAJHQDEZRLR5MLT2HSQURAVCNFSM6AAAAABUH3OWDGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRTGIYDGOBTHE>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
This is very much a problem since the RP could now tell that the same human or device owner was in control of those multiple accounts. |
|
Yes, this is exactly what I want. Why is this a problem? Ought not an RP know this situation? Could you give a use case to prove this is bad?
…________________________________
发件人: Shane Weeden ***@***.***>
发送时间: 2024年12月27日 10:48
收件人: w3c/webauthn ***@***.***>
抄送: bigradish ***@***.***>; Author ***@***.***>
主题: Re: [w3c/webauthn] Add a method to get all the credentials for a rely party on the client device to support the rely party (website) to limit the number of accounts a user can register (Issue #2222)
Hi, thank you for your answers. I use pure passkeys to let users register on my site, and hope passkeys can be good at limiting the number of the accounts a user can register. Yes, I mean credential enumeration. I think as a rely party can only get its own credentials, this will not cause bad problems. Do you think so?
This is very much a problem since the RP could now tell that the same human owned those multiple accounts.
―
Reply to this email directly, view it on GitHub<#2222 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBYBYORYJG7O5R6PXMAZ3T2HS5WZAVCNFSM6AAAAABUH3OWDGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRTGI2TOMZWGA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
This type of behaviour is called account linking, or account tracking, and is an anti-pattern with respect to end user privacy, whether it be across domains on the internet, or between separate accounts on the same RP/website. I am highly confident the WebAuthn WG will not support any notion to introduce a capability like this. By way of example, if I have 5 google accounts, Google doesn't need to know, nor should they, that they are all mine. They are completely separate personas that I (as an end user) want distinct for privacy reasons. If as an RP you're trying to bind an account to a human, then use a 3rd party identity proofing solution (not an authentication technology like WebAuthn) to do that. Real humans will find it difficult to provide the burdens of proof required to satisfy different human identities for many accounts at the same RP. |
|
Hi Shane,
Thank you very much for your detailed answers.
I understand what you mean.
How about providing a method to get just the number of the credentials on the device for the RP?
This can avoid account linking, or account tracking, for the RP does not know the exact account names associated with these credentials.
…________________________________
发件人: Shane Weeden ***@***.***>
发送时间: 2024年12月27日 11:03
收件人: w3c/webauthn ***@***.***>
抄送: bigradish ***@***.***>; Author ***@***.***>
主题: Re: [w3c/webauthn] Add a method to get all the credentials for a rely party on the client device to support the rely party (website) to limit the number of accounts a user can register (Issue #2222)
This type of behaviour is called account linking, or account tracking, and is an anti-pattern with respect to end user privacy, whether it be across domains on the internet, or between separate accounts on the same RP/website. I am highly confident the WebAuthn WG will not support any notion to introduce a capability like this. By way of example, if I have 5 google accounts, Google doesn't need to know, nor should they, that they are all mine. They are completely separate personas that I (as an end user) want distinct for privacy reasons.
If as an RP you're trying to bind an account to a human, then use a 3rd party identity proofing solution (not an authentication technology like WebAuthn) to do that. Real humans will find it difficult to provide the burdens of proof required to satisfy different human identities for many accounts at the same RP.
―
Reply to this email directly, view it on GitHub<#2222 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBYBYJRI2WPC6QMYGEX2RD2HS7QZAVCNFSM6AAAAABUH3OWDGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRTGI3DINZQGU>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
I'm sure it will come up as a topic at the next WG call, and will let that process take its course, but I'm almost certain the answer will be against. There isn't even a discovery API to figure out if any credential exists at all, let alone provide a number. This is why the "autofill UI" (also known as conditional mediation) version of WebAuthn behaves the way it does. The notion of whether or not a credential exists on the client device and is shown in autofill dropdown to the user is not discoverable to the RP until the user decides to use it. The RP is not entitled to know this - again for privacy reasons. |
|
Hi Shane,
I think we should not emphasize the user privacy too much. Providing more info to the RP properly may make Webauthn be used more widely.
Thank you very much anyway. :)
|
|
The WG has pondered this several times and remains of the opinion that browsers should not silently release credential metadata for privacy reasons. There is a possibility that an API similar to one that exists on several mobile platforms could be provided on the web, where a UI appears if (and only if) credentials exist. But this also effectively discloses whether some credential exists, and thus is not trivial. But, if such a thing happened, we would track any such proposal in a more specific issue/PR. So we'll close this one since we don't think that the suggestion in the title is suitable. |
|
I'd just like to add for the record:
This sentiment is directly contradicted by W3C Ethical Web Principles §2.5. The web is secure and respects people's privacy:
Which is why this W3C working group prioritizes user privacy over RP convenience. |
bigradish
changed the title
bigradish
changed the title
|
@emlun Thank you for your explanation, but I can not agree with you. I don't think my request is contradicted by the W3C Ethical Web Principles, whose motivation is making the web better. |
|
Restricting who can create an account on a website (or providing the means to restrict) is not in scope for the Web Authentication API. WebAuthn itself doesn't deal with accounts at all. It is an API for creating and asserting credentials. You can accomplish this via other means if it is required for your business needs/policies. |
|
@timcappalli Sorry, I have to say you have not got the meaning of this issue. |
|
You said:
to which I responded. |
This can be done irrespective of if this kind of API addition exists or not. The user simply makes the credentials unavailable to the browser itself. The goal of WebAuth is not to solve identity management, but rather to facilitate the creation of cryptographical keys and later verify via mathematical proof that someone has access to them (likely the person who created them). Registration concerns including but not limited to: multiple registration, rate limiting, etc; are in scope for business logic, and definitionally out of scope of this standard. You can solve this in many ways such as endpoint rate limits, requiring some form of additional validation that takes time, accounts to be created prior to registering a WebAuthn credential, using information already available to you such as their IP or long-lived session cookies , etc. For malicious spam creation which is likely to be done via bots or automation it's completely trivial to circumvent any specification addition in this area. There is quite literally no way to keep track of mildly sophisticated malicious parties and how many accounts they truly have created credentials for. |
|
@james-d-elliott You said: "The goal of WebAuth is to facilitate the creation of cryptographical keys and later verify via mathematical proof that someone has access to them" |
|
First sentence of the specification....
|
|
This proves nothing. |
|
Do you think the goal of WebAuthn is just this? |
|
I'm going to assume you're either a bot or a troll and won't be engaging on this closed issue any further. |
It is very easy for a user to register many accounts on a website which using webauthn, but it seems that there is no an easy way to limit this capability of the user, for it is not easy to identify the user or the authenticator (many platforms do not return its AAGUID even if the "enterprise" conveyance option is used.) using javascript in browsers when the user is registering.
If there is a method that can get all the credentials for a rely party on the client device, the rely party (website) can easily limit the number of accounts a user can register using the client device.
Thank you very much.
The text was updated successfully, but these errors were encountered: