Re: [webauthn] Managing FIDO keys (#1612)

Possibility three only applies to resident keys, which in order for the RP to request, you send an empty array of credential ID's anyway. So this would effectively just mean the server has some "defunct" keys in it's DB, but they are not offered in an authentication ceremony :) 

If the user wants to remove a non resident (key wrapped key), they would need to remove this from the RP's specific interface, which would then remove it from their DB, and remove it from subsequent authentications.

So really, the fact you are seeing "zombie" credentials here is because those demo sites probably aren't handling those deletes properly. 

GitHub Notification of comment by Firstyear
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Friday, 14 May 2021 02:46:57 UTC