W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2017

Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 21 Dec 2017 14:02:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-353358265-1513864978-sysbot+gh@w3.org>
I now agree that the user handle is not private information, but I don't see how the RP could not know the user's identity if the RP has already looked up a list of credential IDs for that user.

Either way, I see now that [CTAP's getAssertion method](https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorGetAssertion) always returns the `user.id` even in the 2nd factor case, so I support closing this. Sorry for wasting everyone's time on yesterday's call.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/730#issuecomment-353358265 using your GitHub account
Received on Thursday, 21 December 2017 14:03:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:45 UTC