Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

What do you mean by "server credentials"?

Ah yes, I see now that CTAP's authenticatorMakeCredential method stores the user data only for resident keys. However, even with that limitation I think your use case can be solved by embedding a user ID in the `challenge` parameter. Since `challenge` is an opaque byte array of unspecified length, and is returned in the assertion response, you could set `challenge` to the UTF-8 bytes of for example `{"userId":"ff642b","random":"1/BjTenZNLAw9l03J2J2BcpgXP5Ic7gEuoVfVVrf7Bg="}`. This should allow you to embed the user ID while maintaining `challenge` as a valid nonce, correct?

So I don't think changing CTAP is strictly necessary, but I'll update this PR either way just in case we need it.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Sunday, 24 December 2017 11:09:22 UTC