Re: [webauthn] Why does credentialId need to be unique across all users? (#1403) from Emil Lundberg via GitHub on 2020-04-08 (public-webauthn@w3.org from April 2020)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 08 Apr 2020 13:03:28 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-610946567-1586351007-sysbot+gh@w3.org>

There's no hard technical requirement for it, it's rather a defense against an opportunity for a rare and subtle bug. Authenticators generate credential IDs independently, so it's possible that two authenticators could generate the same credential ID. This should in theory be astronomically unlikely, but whether due to implementation bugs, bad random number generation, etc., it could conceivably happen in practice. Since credential IDs are generally _expected_ to be universally unique, it's prudent to not register them more than once each. But if you do make sure the correct user owns each credential, I don't think there's any danger in allowing each credential ID once per user.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1403#issuecomment-610946567 using your GitHub account

Received on Wednesday, 8 April 2020 13:03:30 UTC