Re: [webauthn] Plumb User ID through

Why is the user ID necessary for getAssertion? Even for the single factor use case, isn't it possible for the RP to identify the user from only the credential ID even with no allowCredentials? For example:

1. Setup: The RP has an internal table linking credential IDs to public keys and internal user IDs, and the user has previously registered a credential with the RP
2. The user initiates an authentication ritual (providing no additional info at this point)
3. The RP generates a challenge and sends a PublicKeyCredentialRequest (with no allowCredentials) to the client
4. The authenticator chooses a credential and generate an assertion
5. The RP receives the PublicKeyCredential with an AuthenticatorAssertionResponse containing a credential ID and a signature by that credential
6. The RP looks up the public key from its table using the credential ID and verifies the challenge signature
7. If (6) fails, the RP asks the user to try again with a different credential
8. If (6) succeeds, the RP looks up the user ID from its table using the credential ID and initiates an authenticated session for that user

Shouldn't that work?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/558#issuecomment-329753114 using your GitHub account

Received on Friday, 15 September 2017 11:12:50 UTC