0

After registration via webauthn, we receive a credential id which we use to associate with that user (along with other info, like public key etc on the backend). And during login we create the publicKeyCredentialRequestOptions which we pass to navigator.credentials.get, we pass the credential id.

My question is what's the value in passing 'user' key in the publicKeyCredentialCreationOptions (which contains id, name, displayName) when we call navigator.credentials.create? I (think) the user info might be returned as part of the Assertion response (in the userHandle field), but not sure how that add's value (as we probably already have that info on the backend).

noi.m
  • 3,070
  • 5
  • 34
  • 57

1 Answers1

0

Firslty the information can be presented by the browser/OS UI. E.g. on Windows 10 the dialog that is presented says "Set up your security key to sign in to {hostname} as {username}"

The real value however is when you request a resident key (via authenticatorSelection.requireResidentKey). This means the account information (tied to the origin) is stored on the authenticator itself. This allows for usernameless logins since the authenticator itself has the account info for a given site on it. Account selection is then handled via the browser/OS UI without the server having to reveal any information about the user in question. To achieve this all you have to do is leave allowCredentials undefined.

mackie
  • 4,996
  • 1
  • 17
  • 17