-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why not email/username as user.id / user handle? #1763
Comments
Because these become baked into the credential in a way that may never change, this can have impacts on individuals when they need to change their name (think divorce, leaving domestic violence). Additionally it may also have privacy disclosure impacts on individuals as well. The user id and handle ARE transmitted during authentication for discoverable credentials (usernameless flows). However the displayName field can be changed post credential creation which is why these can contain info that the client side can update, and this displayname is NOT tranmitted during auth. |
it was probably poorly phrased from me. Indeed the user id is transmitted into the authentication payload. What I meant is that it is of no practical use. What you store in your database as a RP is typically "username/email -> list of public key credentials". So basically, you have to either transmit the "username/email" directly or map the user id to username/email on the server side. Regarding the user "name", from the specs:
So basically, it is just an identifier. I don't really see the problem with things like "divorce, leaving domestic violence, ...". More like when changing one's username/email/phone. But in that case, the solution looks simple to me: create new credentials. Done. |
The text in question was added in PR #1041 which was motivated by issue #578. It's more to do with not revealing the identity of an authenticator's owner without authentication, for example if a security key is stolen or dropped on the street. Authenticators are required to keep As a concrete example, CTAP 2.0 reveals user handles without authentication when called with empty |
Actually, when calling After all, listing a bunch of cryptic user id/handles would be quite useless. In such a case, the user would not be able to identify which one to pick. So, to conclude:
...so I'm kind of puzzled that there are privacy issues for an internal id that's never shown while name/displayName are easely listed without requiring user verification. |
Yes, but platform authenticators are presumably protected by the local login on the device. For external security keys the opposite is true: they may reveal user handles without authentication but not |
Ok. Thanks for the answers. So to summarize, because the users can freely be listed on external security keys, they require some cryptic handle to ensure usernames are not leaked. I understand that. Nevertheless, from an outsider's POV, I find the property names could have been chosen much better, like:
... Or alternatively "anonymizedId" or something like that. This would have been much more intuitive IMHO. |
But well, that's how things are. Thanks for the explanations. |
I want to address this specifically. Because these things are very related. I used to work at a company that made your username "first letter of given name, and lastname". So for me, wbrown. Now imagine you married someone, and took their lastname. Lets say in my case I married Alice Green (exampple name). And I changed my name to William Green. I join this company and that's my username. wgreen. Now something happens between Alice and I. Something that hurts deep inside, and causes huge pain. Every day at work I login with wgreen. A reminder of the person who inflicted so much harm. It's not just a "change of username/email". It's a change of identity, and allowing someone to not have to have reminders of horrors. That's why it's so important that these values are not used as primary keys and identifiers anywhere because developers get into these weird "oh we can never change it" positions. |
The specs says:
Or here:
However, I fail to understand the reasoning behind it since:
The text was updated successfully, but these errors were encountered: