Even in the case of resident keys, won't the authenticator return the selected user handle alongside the assertion? Then, based on that received user handle the RP could look up just the credentials for that user, find the match for credentialId (since it would be unique within the scope of that user), and continue with the assertion verification. -- GitHub Notification of comment by epheat Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1403#issuecomment-610511460 using your GitHub accountReceived on Tuesday, 7 April 2020 17:12:20 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC