You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
13.1 An Origin Can Discover that Two Accounts Share a U2F Device
The "attack" described in the FIDO overview says that Example.com could send User1's key handle to User2, and if the device generates a valid signature then Example.com has discovered that User1 and User2 share the same device. My understanding is that this attack will succeed because the App ID will be the same for each account.
So the suggested edit would be to remove that paragraph or, if it is accurate, include an explanation of why this attack won't work. Thanks!
The text was updated successfully, but these errors were encountered:
I'm confused by the discrepancy between the statement on Yubico's overview:
and section 13.1 of the FIDO U2F overview that says:
The "attack" described in the FIDO overview says that Example.com could send User1's key handle to User2, and if the device generates a valid signature then Example.com has discovered that User1 and User2 share the same device. My understanding is that this attack will succeed because the App ID will be the same for each account.
So the suggested edit would be to remove that paragraph or, if it is accurate, include an explanation of why this attack won't work. Thanks!
The text was updated successfully, but these errors were encountered: