Re: [webauthn] Require non-null userHandle when allowCredentials is empty? (#1892) from Matthew Miller via GitHub on 2023-05-17 (public-webauthn@w3.org from May 2023)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 May 2023 19:06:37 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1551915436-1684350396-sysbot+gh@w3.org>

> @MasterKale see [#558 (comment)](https://github.com/w3c/webauthn/pull/558#issuecomment-329753114) and the answer: [#558 (comment)](https://github.com/w3c/webauthn/pull/558#issuecomment-330317134) 🙂

I'm going to pull those comments into here for sake of readability into conversations from 2017:

> Why is the user ID necessary for getAssertion? Even for the single factor use case, isn't it possible for the RP to identify the user from only the credential ID even with no allowCredentials? For example:
> 
> 1. Setup: The RP has an internal table linking credential IDs to public keys and internal user IDs, and the user has previously registered a credential with the RP
> 1. The user initiates an authentication ritual (providing no additional info at this point)
> 1. The RP generates a challenge and sends a PublicKeyCredentialRequest (with no allowCredentials) to the client
> 1. The authenticator chooses a credential and generate an assertion
> 1. The RP receives the PublicKeyCredential with an AuthenticatorAssertionResponse containing a credential ID and a signature by that credential
> 1. The RP looks up the public key from its table using the credential ID and verifies the challenge signature
> 1. If (6) fails, the RP asks the user to try again with a different credential
> 1. If (6) succeeds, the RP looks up the user ID from its table using the credential ID and initiates an authenticated session for that user
> 
> Shouldn't that work?

And @christiaanbrand's response:

> It's a bad idea to have some external system with limited context responsible for generating unique indices for a database. We really need to key off something we control, not the authenticator.

I'm not sure I understand Christiaan's response, is the "external system with limited context" the RP's back end? I don't get how it would have "limited context" here, it's the one with the source of truth as to which credentials belong to which users. The mention of "generating unique indices" in particular doesn't make sense to me since we're talking auth, _after_ the RP has generated the various DB indices and user ID's.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1892#issuecomment-1551915436 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 17 May 2023 19:06:39 UTC