W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] First factor authenticator selection

From: Johan Verrept via GitHub <sysbot+gh@w3.org>
Date: Mon, 16 Oct 2017 11:31:43 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-336859560-1508153488-sysbot+gh@w3.org>
@Kieun U2F authenticators can never be first factor as they do not allow storage of a User ID. What is more, whether or not the actual key is a resident key is not relevant in a U2F context: the key handle supplied by the RP is the only link between the user account and the signature.  Even if an authenticator would support returning an assertion based on AppID (U2F speak for the RPID), the returned signature does not contain any indication of which credential was used to generate it. They only way to identify the account for such a signature would be to validate the signature against all public keys stored by the RP...

I believe U2F authenticators should never be returned when `requireResidentKey` is set.

GitHub Notification of comment by jovasco
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/640#issuecomment-336859560 using your GitHub account
Received on Monday, 16 October 2017 11:31:33 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC