Re: [webauthn] Add onlyCreate to prevent creation of a new key for existing user (#2313) from Emil Lundberg via GitHub on 2025-07-11 (public-webauthn@w3.org from July 2025)

From: Emil Lundberg via GitHub <noreply@w3.org>
Date: Fri, 11 Jul 2025 11:33:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3061924901-1752233584-noreply@w3.org>

> * Call `get` with constant user ID and immediate mediation set.

This won't work, because [immediate mediation](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation) does not allow to set `allowCredentials` (the closest equivalent of a "user ID" parameter) since that would enable malicious RPs to silently probe for credential existence and thus de-anonymize users without consent.

I don't think this is functionally different from #1568, because the hard part is how the client should decide whether or not a credential exists. The only difference between this (assuming it would only reveal credential existence after the user confirms consent) and #1568, then, is whether the client fails out or fails over to `get` when it decides that a credential does exist. This doesn't really solve any of the issues with #1568.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2313#issuecomment-3061924901 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 11 July 2025 11:33:07 UTC