webauthn.io icon indicating copy to clipboard operation
webauthn.io copied to clipboard

Published 20 hours ago verified publisher icon duo-labs

Registering with same username twice!!!

Open afridi26 opened this issue 4 years ago • 5 comments

Hi, While playing around with webauthn.io I tried to register the same user twice and even three times? and more. What I believe for the same username the library must send excludeCredentials that tells the authenticator that for the public keys already existing for a given use and it is provided by the relying party's server if it wants to prevent the creation of new credentials for an existing user. Link for excludeCredentials field Screenshot from 2019-07-18 13-53-02

afridi26 avatar Jul 18 '19 14:07 afridi26

I had to look because I know I had specifically addressed this, but yes, it is definitely an issue in current master branch. This is fixed in server.RequestNewCredential() in the fido-testing branch as this scenario is tested by the conformance test tool.

aseigler avatar Jul 18 '19 14:07 aseigler

I have tested this locally and the same behaviour is on https://webauthn.io/. Need to deploy fresh version :) thanks

afridi26 avatar Jul 18 '19 21:07 afridi26

Not sure if this is related, but when registering the same username multiple times and then trying to log in, the RP sends multiple authenticatorGetAssertion calls with a single credential in allowList rather than all credentials like the spec says. For example this happens when you respond with CTAP2_ERR_CREDENTIAL_EXCLUDED for the first credential.

Looking at the browser console, I see the public keys in a single array, but the authenticator only receives one at a time.

Possibly related to this: https://chromium-review.googlesource.com/c/chromium/src/+/1629587

eigenl avatar Aug 12 '19 10:08 eigenl

Hi @aseigler @nicksteele, do you know if this issue fixed in master? I just observed a similar error with double registration on top of tree master and wondering if it's the same bug. As I see the fido-testing fix has not yet been merged into master.

m9a avatar Jul 14 '21 06:07 m9a

Hi @aseigler @nicksteele, do you know if this issue fixed in master? I just observed a similar error with double registration on top of tree master and wondering if it's the same bug. As I see the fido-testing fix has not yet been merged into master.

As far as I know, it is not fixed in master.

aseigler avatar Jul 14 '21 13:07 aseigler

I believe this is fixed in the latest "v2" version of this site. I'm getting told by Chrome when I've tried re-registering something at least:

Screen Shot 2022-09-26 at 1 37 25 PM

(Weird that it says "security key" when I tried to enroll the platform authenticator, but that's a Chrome problem)

MasterKale avatar Sep 26 '22 20:09 MasterKale