developers.yubico.com icon indicating copy to clipboard operation
developers.yubico.com copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Suggested edit for U2F/Protocol_details/Overview

Open parkerfinch opened this issue 6 years ago • 0 comments

I'm confused by the discrepancy between the statement on Yubico's overview:

This means that Example.com cannot know whether User1 and User2 shares the same device.

and section 13.1 of the FIDO U2F overview that says:

13.1 An Origin Can Discover that Two Accounts Share a U2F Device

The "attack" described in the FIDO overview says that Example.com could send User1's key handle to User2, and if the device generates a valid signature then Example.com has discovered that User1 and User2 share the same device. My understanding is that this attack will succeed because the App ID will be the same for each account.

So the suggested edit would be to remove that paragraph or, if it is accurate, include an explanation of why this attack won't work. Thanks!

parkerfinch avatar Feb 12 '19 15:02 parkerfinch