identify finger id via WebAuthn API

Question

while Google introduced WebAuthn https://developers.google.com/web/updates/2018/05/webauthn 2 years ago.

Is there possible to identify exactly which finger user registered or verifying ?.

For example, server will get not only public key but also get a random unique number mapping to the finger that user registered. So it helps avoid many peoples using same device to authenticate for one user id.

score 1 · Answer 1 · answered May 21 '20 at 17:25

1

The short answer is a simple no.

FIDO2 was conceived with privacy in mind so there's no way to determine that even the same device was used to generate a key let alone details of any biometric mechanism that may be in place to secure the private key.

answered May 21 '20 at 17:25

mackie

4,996
1
17
17

from fingerprint, we create public key to share outside, so i don't see any security problem to share a random key linking to which fingerprint was enrolled. this random key only tights to phone id and fingerprint. In other phone, even same fingerprint would create other random key. – Thang Le May 25 '20 at 10:27

identify finger id via WebAuthn API

1 Answers1