You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The id used to store a WebAuthnCredential is generated by the client (e.g. browser ), as explained in the spec.
As I understand, as part of the sign-in ceremony, the client will look for all credentials stored locally for a given relyingparty (e.g. domain), and give the user the option to select one to use to authenticate.
Then, the client will send the data of the credential selected by the user to the server.
This data contains :
the id mentioned earlier
a username
and the response to the challenge sent by the server
some more data not relevant for this question (I think)
Two questions on this thinking (assuming I wrote it correctly):
Can the ID generated by the client be assumed to be globally unique for a given relyingparty?
Why not use the username as ID (provided the server and UI will prevent duplicates)? This is actually what I am currently doing.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The id used to store a
WebAuthnCredentialis generated by the client (e.g. browser ), as explained in the spec.As I understand, as part of the sign-in ceremony, the client will look for all credentials stored locally for a given relyingparty (e.g. domain), and give the user the option to select one to use to authenticate.
Then, the client will send the data of the credential selected by the user to the server.
This data contains :
Two questions on this thinking (assuming I wrote it correctly):
Beta Was this translation helpful? Give feedback.
All reactions