W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2020

Re: [webauthn] Why does credentialId need to be unique across all users? (#1403)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Tue, 07 Apr 2020 07:39:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-610229103-1586245198-sysbot+gh@w3.org>
There are **resident key** use cases (client side discoverable credential) where the RP tries to authenticate the user **without any credential id**. Then, the browser or FIDO client tries to list up all the available credentials and prompt to the user to select the account (among multiple accounts). After the user selects the appropriate account and performs user verification, the authenticator will return assertion with credential id. With this credential id, the RP could identify the user and public key for assertion verification.
If the credential id is not unique across all users, the server needs to look up all the matched credentials and perform signature verification until it gets verification success. Also, RP will have no idea whether the key was not registered before or signature verification fails.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1403#issuecomment-610229103 using your GitHub account
Received on Tuesday, 7 April 2020 07:40:02 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC