- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Fri, 06 Mar 2020 23:51:23 +0000
- To: public-webauthn@w3.org
Step 2 of https://www.w3.org/TR/webauthn/#verifying-assertion is prescriptive in it's intended use of userHandle, which in the context of username-less login (aka empty allowCredentials list login) is for the measure I indicated previously - ensuring the credentialId is owned by that user. I don't think this means you *cannot* achieve a solution with credentialId alone (I'm fairly sure you can), however when using an empty allowCredentials list the user is typically presented with a dialog by the browser for identity selection / confirmation and it would be quite odd if the RP then logged you in as someone else based on credentialId lookup. -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1385#issuecomment-596012212 using your GitHub account
Received on Friday, 6 March 2020 23:51:25 UTC