4

I'm implementing webauthn as a proof-of-concept.

I want my users to be able to login using several different "platform" authenticators. For example Windows Hello on their desktop computer and Face ID on their iPhone. Each authenticator will have its own public key that it sends to the RP that I'll store in a database.

When it comes time for the user to login (calling navigator.credentials.get()), how do I know on the server (RP) what public key to use? Or should I just try them all?

Having multiple devices for a single user seems to be a supported scenario according to https://www.w3.org/TR/webauthn/#usecase-new-device-registration so I'm guessing there is some sort of official or best-practice way of implementing this.

So, if a user has multiple public keys associated to it, how do I know which one to use when verifying the login/assertion signature?

Tobbe
  • 3,282
  • 6
  • 41
  • 53

2 Answers2

7

When it comes time for the user to login (calling navigator.credentials.get()), how do I know on the server (RP) what public key to use? Or should I just try them all?

You got it right, you should try them all at the same time. That's why allowCredentials is a list, you can include multiple IDs. The response will tell you which one was picked.

Nina Satragno
  • 561
  • 3
  • 8
2

In the authData structure there is a "attested credential data" field. Nested in that field there is a "credential id" field. You should save this together with the public key parsed from the same structure.

Attestation Object (Figure copied from: https://www.w3.org/TR/webauthn/#attestation-object)

Later, when doing a login you will get an id field (and rawId) from navigator.credentials.get(). This id will match the "credential id" from earlier and can so be used to do the lookup for the correct public key to use.

Tobbe
  • 3,282
  • 6
  • 41
  • 53