Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

Summary of currently proposed changes:

- `AuthenticatorAssertionResponse.userHandle` is now nullable.
- The authenticator MAY now skip storing the user handle for credentials that do not have a client-side-resident credential private key. (CTAP [currently does this][ctap])
- The authenticator now always returns the user handle if it is available.
- The client now returns `userHandle: null` if the authenticator did not return the user handle.

However it looks like CTAP is internally inconsistent: the `user` argument to authenticatorMakeCredential is stored only for resident keys, but the `user` attribute is required in the authenticatorGetAssertion response...


GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Monday, 25 December 2017 14:44:15 UTC