W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2020

Re: [webauthn] correct usage of userHandle? (#1385)

From: John Bradley <ve7jtb@ve7jtb.com>
Date: Fri, 6 Mar 2020 20:32:09 -0300
To: public-webauthn@w3.org
Message-ID: <24de13f7-ceb9-a518-5474-3cf4ebc42316@ve7jtb.com>
WebAuthn was designed to be flexable to fit a number of diffrent RP
models of how to store user accounts.

With U2F you first look up the user and then look up the credentialID to
validate it as a second factor.

You could as a RP jus index by credentialID and that would work just fine.

Some RP have multiple buckets of users so use the as a hint about what
database to look up the credentialID.

Some RP prefer to keep the model of indexing the credentialID by user so
put some sort of account identifier in the userHandle and use that to
look up the credentialID.

From a privacy point of view there is a restriction to not put PII like
an email in the userHandle as that could leak if someone got phisical
access to the authenticator.

Other than that use userHandle in whatever way works with your backend.

John B.


On 3/6/2020 8:13 PM, Shane Weeden via GitHub wrote:
> I believe I've heard some RP's do exactly that - use the credentialId
> to resolve the user account, then determine the corresponding public
> key and username. About the only reason I can think of where
> userHandle adds value is that it is an assertion from the
> authenticator as to which user the credentialId was associated with at
> the time of registration. Therefore at authentication time it is
> potentially a way of ensuring the crendentialId has not subsequently
> be swapped to another account at the RP (if the RP chooses to
> implement this measure).
>
Received on Friday, 6 March 2020 23:34:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC