W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2017

Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Sun, 24 Dec 2017 11:09:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-353778439-1514113757-sysbot+gh@w3.org>
What do you mean by "server credentials"?

Ah yes, I see now that CTAP's authenticatorMakeCredential method stores the user data only for resident keys. However, even with that limitation I think your use case can be solved by embedding a user ID in the `challenge` parameter. Since `challenge` is an opaque byte array of unspecified length, and is returned in the assertion response, you could set `challenge` to the UTF-8 bytes of for example `{"userId":"ff642b","random":"1/BjTenZNLAw9l03J2J2BcpgXP5Ic7gEuoVfVVrf7Bg="}`. This should allow you to embed the user ID while maintaining `challenge` as a valid nonce, correct?

So I don't think changing CTAP is strictly necessary, but I'll update this PR either way just in case we need it.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/730#issuecomment-353778439 using your GitHub account
Received on Sunday, 24 December 2017 11:09:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:30 UTC