Step 2 of https://www.w3.org/TR/webauthn/#verifying-assertion is prescriptive in it's intended use of userHandle, which in the context of username-less login (aka empty allowCredentials list login) is for the measure I indicated previously - ensuring the credentialId is owned by that user. I don't think this means you *cannot* achieve a solution with credentialId alone (I'm fairly sure you can), however when using an empty allowCredentials list the user is typically presented with a dialog by the browser for identity selection / confirmation and it would be quite odd if the RP then logged you in as someone else based on credentialId lookup. -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1385#issuecomment-596012212 using your GitHub accountReceived on Friday, 6 March 2020 23:51:25 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC