Re: [webauthn] Deprecation warning for fido-u2f, apple, and android-safetynet? (#1989) from Emil Lundberg via GitHub on 2023-10-16 (public-webauthn@w3.org from October 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 16 Oct 2023 14:23:53 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1764595158-1697466232-sysbot+gh@w3.org>

This is mentioned in [§2.2.1. Backwards Compatibility with FIDO U2F](https://w3c.github.io/webauthn/#sctn-conforming-authenticators-u2f), and implied by the description of [`PublicKeyCredential.response.userHandle`](https://w3c.github.io/webauthn/#dom-authenticatorassertionresponse-userhandle):

>[...] The authenticator MUST always return a [user handle](https://w3c.github.io/webauthn/#user-handle) if the [allowCredentials](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-allowcredentials) option used in the [authentication ceremony](https://w3c.github.io/webauthn/#authentication-ceremony) is [empty](https://infra.spec.whatwg.org/#list-is-empty), and MAY return one otherwise.

Since U2F authenticators must always be used with non-empty `allowCredentials`, this implies that they always MAY (and in fact always do) return `userHandle: null`.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1989#issuecomment-1764595158 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 16 October 2023 14:23:55 UTC