There is a possibility that attackers may attempt to discover legitimate usernames registered to a site. This can be done by continuously probing the server using pre-authenticated web service calls and observing if any registered credential IDs are returned. If the web service does return registered keys, it will indicate to the attacker that a legitimate username exists.

To address this issue, the default behavior in SKFS can be modified. There is a property on the SKFS that can be enabled to send credential IDs back in the web service response, regardless of whether the user is actually registered or not. In the case of an unregistered user, the server will generate random key handles and send them back, creating the illusion that the user has registered keys. This will provide false information to the attacker, protecting the security of users.

The following property determines whether fake credential Id's should be returned to the calling application when they request pre-authenticate web service for unregistered users:

skfs.cfg.property.fido2.user.sendfakeKH

Default value for this property is false and the accepted values are true | false.

Follow the steps below to change this property:

• Switch to (or login as) the "strongauth" user

  shell> su - strongauth

• Edit the skfs properties file:

  shell> vi /usr/local/strongauth/skfs/etc/skfs-configuration.properties

• Set skfs.cfg.property.fido2.user.sendfakeKH​ to the desired value (true/false)

  skfs.cfg.property.fido2.user.sendfakeKH=true

• Restart the GlassFish server

  shell> sudo systemctl restart payara 
  
  # For SKFS version 4.12 and below, use the following command instead:
  shell> sudo service glassfishd restart 
  

ADDITIONAL INFORMATION

There is a wide range of properties that may be customized. For an in-depth overview of SKFS properties click here.