Re: [webauthn] Can we document protections (if any) around userHandle (with user-verification)? (#2266) from Tim Cappalli via GitHub on 2025-02-23 (public-webauthn@w3.org from February 2025)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Sun, 23 Feb 2025 00:44:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2676473181-1740271455-sysbot+gh@w3.org>

I don't remember a discussion around user handle + UV, but the user handle is always returned when the credential is a passkey and a modal flow is used (e.g. no allowlist).

> A user handle is an identifier for a user account, specified by the Relying Party as user.id during registration. Discoverable credentials store this identifier and MUST return it as response.userHandle in authentication ceremonies started with an empty allowCredentials argument.

https://www.w3.org/TR/webauthn-3/#user-handle

-- 
GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2676473181 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 23 February 2025 00:44:18 UTC