W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Prevent browsers from deleting credentials that the RP wanted to be server-side (#1569)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 09 Feb 2021 09:36:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-775800243-1612863365-sysbot+gh@w3.org>
Even if Windows Hello and Safari were to change their implementations in the future, there will continue to exist roaming authenticators that will still overwrite an existing discoverable credential if it already has one with the same (rpId, userHandle). But it looks like this could be solved if we recommend that RPs, for example, generate a new unique user handle for each new credential, instead of using a single user handle per user.

On the other hand, maybe it's better if clients could ask the user to confirm an overwrite - after all, one of the reasons to have it behave that way was that it's probably rarely useful to have more than one credential for the same account on the same authenticator. I'm not completely certain CTAP2 gives the client access to all the information it would need to detect the situation, but maybe? It might require the credential management additions in CTAP2.1 though.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-775800243 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 9 February 2021 09:36:07 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 9 February 2021 09:36:08 UTC