[webauthn] some RPs may wish to allow multiple registrations to same user account from =JeffH via GitHub on 2017-04-14 (public-webauthn@w3.org from April 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Fri, 14 Apr 2017 16:43:57 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-221844795-1492188236-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== some RPs may wish to allow multiple registrations to same user account ==
we have this text in [4.3. User Account Information](https://w3c.github.io/webauthn/#iface-userinfo):
> The id member contains an identifier for the account, specified by the Relying Party. ... It is used by the Relying Party to control the number of credentials - an authenticator will never contain more than one credential for a given Relying Party under the same id.

This *could* be construed to mean that an RP may only map one credential to a given user account. Tho, if the RP is creative, and e.g. does not store their internal account identifier in the RelyingPartyUserInfo .id but rather stores some 2nd-level id there that they map to their account ID on their server-side, they can do so (yes?) -- seems to me we ought to document this. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/403 using your GitHub account

Received on Friday, 14 April 2017 16:44:04 UTC