Re: [webauthn] Why does credentialId need to be unique across all users? (#1403)

There's no hard technical requirement for it, it's rather a defense against an opportunity for a rare and subtle bug. Authenticators generate credential IDs independently, so it's possible that two authenticators could generate the same credential ID. This should in theory be astronomically unlikely, but whether due to implementation bugs, bad random number generation, etc., it could conceivably happen in practice. Since credential IDs are generally _expected_ to be universally unique, it's prudent to not register them more than once each. But if you do make sure the correct user owns each credential, I don't think there's any danger in allowing each credential ID once per user.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 8 April 2020 13:03:30 UTC