Re: [webauthn] How to know if a user has already registered a device? (#1749) from Mitar via GitHub on 2023-11-23 (public-webauthn@w3.org from November 2023)

From: Mitar via GitHub <sysbot+gh@w3.org>
Date: Thu, 23 Nov 2023 22:37:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1824973151-1700779065-sysbot+gh@w3.org>

I do not understand why `credentials.exists(credentialId)` is a super-cookie? Because it really is `credentials.exists(rpId, credentialId)`. So `credentialId` makes sense only for `ipId` where only `ipId` which matches the site origin can use. So you can only check for `credentialId` for your site. In fact, I think only `credentials.exists(rpId)` is all that is needed. Is there any credential stored for the RP? How is that a super-cookie?

-- 
GitHub Notification of comment by mitar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1824973151 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 23 November 2023 22:37:49 UTC