W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2017

Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Sun, 24 Dec 2017 11:09:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-353778439-1514113757-sysbot+gh@w3.org>
What do you mean by "server credentials"?

Ah yes, I see now that CTAP's authenticatorMakeCredential method stores the user data only for resident keys. However, even with that limitation I think your use case can be solved by embedding a user ID in the `challenge` parameter. Since `challenge` is an opaque byte array of unspecified length, and is returned in the assertion response, you could set `challenge` to the UTF-8 bytes of for example `{"userId":"ff642b","random":"1/BjTenZNLAw9l03J2J2BcpgXP5Ic7gEuoVfVVrf7Bg="}`. This should allow you to embed the user ID while maintaining `challenge` as a valid nonce, correct?

So I don't think changing CTAP is strictly necessary, but I'll update this PR either way just in case we need it.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/730#issuecomment-353778439 using your GitHub account
Received on Sunday, 24 December 2017 11:09:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:45 UTC