- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 22 Sep 2017 11:49:49 +0000
- To: public-webauthn@w3.org
On another note, wouldn't this make the millions of existing U2F devices permanently incompatible? They are currently compatible via the fido-u2f attestation statement format, but they cannot store anything else in addition to the credential ID and thus cannot return the user ID back in `authenticatorGetAssertion`. Unless I'm mistaken in the above, I think with the above in mind this is too much to ask of the authenticator - especially as @akshayku points out that the user ID is not necessary for identifying the user. If some RPs require the user ID to authenticate, they can either require it before initating the authentication ritual - most will probably do that anyway - or implement it as an extension. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/558#issuecomment-331425869 using your GitHub account
Received on Friday, 22 September 2017 11:49:40 UTC