Prevent user enumeration when implementing passkeys
I am thinking of allowing users to login using passkeys. As far as I understand it a login flow of a user logging in with passkeys typically works like this:
- Login screen separates between a screen where the user enters his user-id (often an e-mail address) and a second screen where the user enters his password (when doing a password login)
- If the user has passkeys enabled, instead of asking for a password on the second screen the users gets asked for his passkey or can click a link to fall back to a different login type (like passwords)
If a login is allowed like this, doesn't this allow for user enumeration attacks? After entering the user-id of an existing user with passkeys enabled, I get a different second page compared to using a non-existent user-id. How do I prevent this?
There is a conditional mediation feature (auto-fill with passkey) to allow for you to accept passkeys and traditional passwords in one screen. So, you can leverage that feature by returning empty allow credential for the passkey authentication for all users without checking whether the users are protected by passkeys or not.
In this case, the attacker cannot know whether the user accounts are protected by passkeys or not since there is no differences regarding the screen and response from the service. The browsers will handle the user device has passkeys for the site instead of the service (relying party) or ask customers to use another devices (cross device authentication with passkey or secret keys). Or, the browser might auto-fill the users' passwords or users simply put their passwords in the password field if the service allows to do so.
On the other hand, the service might have some magical way of checking user enumeration attacks by checking cookie or any other information so that it might block such attempts from the attackers.
- Implementing External Login does not set IsAuthenticated to true unless I refresh the page
- Next.JS Abort fetching component for route: "/login"
- Odoo API returns 'Invalid credentials' even with correct username and password
- How to authenticate Google APIs (Google Drive API) from Google Compute Engine and locally without downloading Service Account credentials?
- Access GitLab repo with project access token
- How to ensure receiving an SMS verification code from Telegram using Telethon?
- How Do I Use KeyCloak in Flutter
- How to login with AWS CLI using credentials profiles
- How do I use the usethis package when I have already developed an R package on GitHub?
- How to update github token on linux?
- Add custom JwtBearerHandler to "AddMicrosoftIdentityWebApi" in .net7
- How to make a simple authentication in Google Forms using Google apps script?
- How handle refresh token and access token for auth system
- How to connect snowsql from PC (Windows 10)
- I am trying to create a stored procedure to check passwords of logins
- Restful API call using IOS with authentication
- Get serverAuthCode using Credential Manager
- Why can't Google Drive be mounted anymore and shows a browser popup instead of a link for authorization?
- How to store httpOnly cookie after redirect from custom SSO?
- Where to store the refresh token on the Client?
- Tiktok client key
- JWT Token returns NULL .NET API Login
- Update Next.js to React 18 breaks my API calls using next-auth
- What is the maximum length of a SID in SDDL format
- Can I use wildcards in the web.config location path attribute?
- Minimal API or AccountController for Login with ASP.NET Core Identity?
- Next.js with Clerk Auth - how to detect if a user just signed up?
- Is it okay to check user claims in AuthorizationHandler only if a route parameter requires users to be authorized?
- Conflicting Basic & Bearer Authorization between nginx and my webapp
- How does cookie-based authentication work?