- From: Arian van Putten via GitHub <sysbot+gh@w3.org>
- Date: Mon, 04 Mar 2024 19:58:56 +0000
- To: public-webauthn@w3.org
Oh good point about making sure the same `userHandle` is used! I implemented a user registration page rather naively. I guess it would make sense to write some more guidance for RPs here. This is what I implemented: 1. I have a registration page where people can register an account by creating a passkey 2. On page load of `/register` I generated a fresh `userHandle` and `challenge` . People then register by picking a `userName` and creating a passkey. 3. If then due to networking conditions this step fails the user tries again 4. now the user has two passkeys in their keychain, with different `userHandle`'s but same `userName`s. Only one of them work. I guess I should fix this as an RP by: 1. On the register page generate a `userHandle` just once and save it in the session cookie. 2. If person aborts the registration (e.g. due to networking errors) and reloads the page they use the same `userHandle` 3. If I understand correctly the new passkey then overrides the old passkey in the UI (Due to having the same `userHandle` ?) -- GitHub Notification of comment by arianvp Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2038#issuecomment-1977355268 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 4 March 2024 19:58:57 UTC