W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2020

Re: [webauthn] correct usage of userHandle? (#1385)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Fri, 06 Mar 2020 23:13:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-596003973-1583536435-sysbot+gh@w3.org>
I believe I've heard some RP's do exactly that - use the credentialId to resolve the user account, then determine the corresponding public key and username. About the only reason I can think of where userHandle adds value is that it is an assertion from the authenticator as to which user the credentialId was associated with at the time of registration. Therefore at authentication time it is potentially a way of ensuring the crendentialId has not subsequently be swapped to another account at the RP (if the RP chooses to implement this measure).

GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1385#issuecomment-596003973 using your GitHub account
Received on Friday, 6 March 2020 23:13:58 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC