Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

@emlun: Thanks for taking this on. 

You are correct, even if response server is different request server (rare case), user information is still available in addition to credentialID as it is a second factor case and user has already entered user information in first step. I was incorrect earlier and when I relooked at the whole scenario, The confusion came because earlier we were equating second factor case with server credentials case which is not always correct. 

For server credentials, it is of the same semantics as of U2F meaning authenticators MAY drop all user information while returning the credentialID. Some authenticators MAY also store this information in encrypted form in future however there is no need and I am not aware of any such authenticators as of now. In any case, this is authenticator specific. CTAP spec needs a clarification as it says user ID is required in authenticatorGetAssertion response which is inconsistent for U2F devices or for server credentials where there is no such information available. I will make that clarification.

Platform logic is simple, if it returned from authenticator (for resident keys, irrespective of whether credential list if present or not), return it to the RP, otherwise set it to NULL. 


GitHub Notification of comment by akshayku
Please view or discuss this issue at using your GitHub account

Received on Monday, 25 December 2017 19:28:39 UTC