Re: [webauthn] How to deal with discoverable credentials? (#1764)

> In my implementations I've associated each new challenge with a "request ID" which is sent to the client along with the challenge and returned to the server with the signed response. The server then looks up the request ID and removes it from the state map in memory, then verifies that the signed response matches the challenge that was stored for that request ID. This ensures that at most one authentication attempt is allowed for each challenge.

@Firstyear I don't see why challenge cannot be used as a value for the "request ID" in this particular implementation. Both are opaque unique strings. Surely you can associate C with C and the algorithm still works. I'm just trying to understand why the "request ID" has to be different than the challenge.

-- 
GitHub Notification of comment by ndpar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1764#issuecomment-1176966506 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 7 July 2022 02:17:37 UTC