Re: [webauthn] make username fields optional (do not delete them, but do not force their usage, either, which is hostile against usernameless services) (#1942) from Emil Lundberg via GitHub on 2023-11-24 (public-webauthn@w3.org from November 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Nov 2023 11:57:37 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1825571503-1700827055-sysbot+gh@w3.org>

> If user modifies data in authenticator to have multiple credentials per site (which I think browsers should help them)

If you don't mind users creating multiple accounts, you should set a different `user.id` for each account (for example, `crypto.getRandomValues(new Uint8Array(64))`, but you may want to create that value in the backend and store it in the user account in your database too). Setting `user.id = new Uint8Array([0])` for all account creations causes any existing credential to be overwritten, locking the user out of the previously created account.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1942#issuecomment-1825571503 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 24 November 2023 11:57:39 UTC