- From: John Bradley <ve7jtb@ve7jtb.com>
- Date: Fri, 6 Mar 2020 20:32:09 -0300
- To: public-webauthn@w3.org
WebAuthn was designed to be flexable to fit a number of diffrent RP models of how to store user accounts. With U2F you first look up the user and then look up the credentialID to validate it as a second factor. You could as a RP jus index by credentialID and that would work just fine. Some RP have multiple buckets of users so use the as a hint about what database to look up the credentialID. Some RP prefer to keep the model of indexing the credentialID by user so put some sort of account identifier in the userHandle and use that to look up the credentialID. From a privacy point of view there is a restriction to not put PII like an email in the userHandle as that could leak if someone got phisical access to the authenticator. Other than that use userHandle in whatever way works with your backend. John B. On 3/6/2020 8:13 PM, Shane Weeden via GitHub wrote: > I believe I've heard some RP's do exactly that - use the credentialId > to resolve the user account, then determine the corresponding public > key and username. About the only reason I can think of where > userHandle adds value is that it is an assertion from the > authenticator as to which user the credentialId was associated with at > the time of registration. Therefore at authentication time it is > potentially a way of ensuring the crendentialId has not subsequently > be swapped to another account at the RP (if the RP chooses to > implement this measure). >
Received on Friday, 6 March 2020 23:34:14 UTC