Fixed Passkey implementation is not compliant with Web Authentication standard

[Kirby]

Affected version

2.3.0 / xenforo.com

https://www.w3.org/TR/webauthn-2/#sctn-user-handle-privacy

Since the user handle is not considered personally identifying information in § 14.4.2 Privacy of personally identifying information Stored in Authenticators, the Relying Party MUST NOT include personally identifying information, e.g., e-mail addresses or usernames, in the user handle. This includes hash values of personally identifying information, unless the hash function is salted with salt values private to the Relying Party, since hashing does not prevent probing for guessable input values. It is RECOMMENDED to let the user handle be 64 random bytes, and store this value in the user’s account.

XenForo uses the user ID as user handle, this is neither the recommended approach (eg. 64 random bytes stored in the user account) nor does it comply with the requirement of not including personally identifying information:
The standard explicitly states that usernames must not be included in the user handle.
If the username is not allowed to be used in the user handle according to the standard (because it is considered personally identifiying information), the user ID also must not be allowed as it is trivial to retrieve the username by user id.

Suggested Fix
Use the recommended approach

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.0 Beta 3).

Change log:

Use secret_key instead of user_id for user handle when generating passkey

There may be a delay before changes are rolled out to the XenForo Community.