- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Fri, 06 Mar 2020 23:13:56 +0000
- To: public-webauthn@w3.org
I believe I've heard some RP's do exactly that - use the credentialId to resolve the user account, then determine the corresponding public key and username. About the only reason I can think of where userHandle adds value is that it is an assertion from the authenticator as to which user the credentialId was associated with at the time of registration. Therefore at authentication time it is potentially a way of ensuring the crendentialId has not subsequently be swapped to another account at the RP (if the RP chooses to implement this measure). -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1385#issuecomment-596003973 using your GitHub account
Received on Friday, 6 March 2020 23:13:58 UTC