You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -6001,9 +6001,8 @@ leakage due to such an attack:
- When verifying an {{AuthenticatorAssertionResponse}} response from the [=authenticator=], make it indistinguishable whether
verification failed because the signature is invalid or because no such user or credential is registered.
- Perform a different authentication step, such as username and password authentication,
before initiating the WebAuthn [=authentication ceremony=].
This moves the username enumation problem from the WebAuthn [=authentication ceremony=]
- Perform a multi-step [=authentication ceremony=], e.g., beginning with supplying username and password, before initiating the WebAuthn [=ceremony=] as a subsequent step.
This moves the username enumation problem from the WebAuthn step
to the preceding authentication step, where it may be easier to solve.
