W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2020

Re: [webauthn] correct usage of userHandle? (#1385)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Fri, 06 Mar 2020 23:51:23 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-596012212-1583538681-sysbot+gh@w3.org>
Step 2 of https://www.w3.org/TR/webauthn/#verifying-assertion is prescriptive in it's intended use of userHandle, which in the context of username-less login (aka empty allowCredentials list login) is for the measure I indicated previously - ensuring the credentialId is owned by that user. I don't think this means you *cannot* achieve a solution with credentialId alone (I'm fairly sure you can), however when using an empty allowCredentials list the user is typically presented with a dialog by the browser for identity selection / confirmation and it would be quite odd if the RP then logged you in as someone else based on credentialId lookup.

GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1385#issuecomment-596012212 using your GitHub account
Received on Friday, 6 March 2020 23:51:25 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC