Re: [webauthn] How to deal with discoverable credentials? (#1764) from Arnaud Dagnelies via GitHub on 2022-07-06 (public-webauthn@w3.org from July 2022)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2022 11:10:21 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1176092792-1657105819-sysbot+gh@w3.org>

I got the gist of it. I guess I should paraphrase my problem. 

In the default use case, with predetermined username, it's straightforward. When a login attempt occurs, on the server side you associate a challenge to this user, then this challenge is signed using webauthn, then you verify  server side that the signature and challenge match. 

However, in the case of discoverable credentials, this association username <-> challenge does not yet exist. So what do you do? Do you maintain some giant pool of anonymous challenges to check from or what?

-- 
GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1764#issuecomment-1176092792 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 6 July 2022 11:10:23 UTC