I have a doubt. I have set a complete solution around the Yubico U2F keys. But now, I cannot stop duplicate registration of the same device for an user for the same app id. While checking on the keyhandles on my database they show different values for each of the duplicate registration. Please help me out.
Asked
Active
Viewed 645 times
1 Answers
3
If you are using the WebAuthn API, you can send all the already registered keys to the client when trying to add a new key using the 'excludeCredentials' key. These credentials would be formatted the same as when trying to log in.
excludeCredentials — Contains a list of credentials that were already registered to the user. This list is then given to the authenticator, and if the authenticator recognises any of them, it cancels operation with error CREDENTIAL_EXISTS, thus preventing double registration of the same authenticator.
Source: https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285
An example of the JSON the client receives when adding a new key could be:
{
"publicKey":{
"rp":{
"name":"YourApp",
"id":"YourAddress"
},
"authenticatorSelection":{
"userVerification":"preferred"
},
"user":{
"id":"UserId",
"name":"Username",
"displayName":"displayName"
},
"pubKeyCredParams":[
{
"type":"public-key",
"alg":-7
}
],
"attestation":"direct",
"extensions":{
"exts":true
},
"timeout":20000,
"challenge":"...",
"excludeCredentials":[
{
"id":"...",
"type":"public-key",
"transports":[
"usb",
"ble",
"nfc",
"internal"
]
},
{
"id":"...",
"type":"public-key",
"transports":[
"usb",
"ble",
"nfc",
"internal"
]
}
]
}
}
When the browser detects that the user tries to register a key that was already registered, it will tell the user to try another key and the request will not be sent to the server at all.
Tim
- 129
- 2
- 3
- 15
-
1This is only practicably for a 2FA. For creating new accounts it is not possible to send thousands of IDs of all existing users. – Horcrux7 Jan 06 '22 at 14:57