Re: [webauthn] How to deal with discoverable credentials? (#1764) from Emil Lundberg via GitHub on 2022-07-07 (public-webauthn@w3.org from July 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 07 Jul 2022 09:37:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1177318610-1657186675-sysbot+gh@w3.org>

> can you use the challenge as "request ID"?

Perhaps, as long as you only allow one authentication attempt per challenge and verify that the correct user owns the signing public key, but I'm not sure there aren't subtle pitfalls.

For any further questions, please continue the discussion on the [public-webauthn@w3c.org](https://lists.w3.org/Archives/Public/public-webauthn/) or [fido-dev@fidoalliance.org](https://groups.google.com/a/fidoalliance.org/g/fido-dev) mail list instead.



-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1764#issuecomment-1177318610 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 7 July 2022 09:37:59 UTC