1

I was testing out WebAuthn in front side(this means no backend thingy, like challenge, id, etc.)

  1. Why does icon matter?

When I first tried, I could only auth with a security key. But when I added an icon: undefined to publickey.user.icon, I could auth with Windows Hello. And, even if I insert a REAL icon link, it didn't show up. Windows 10 Edu, the latest version

  1. How can I implement it?

I've found that I could use res(navigator.credentials....).response.attestationObject. Is this the right way to use WebAuthn?

  1. About physical security key

Let's say I've got a security key USB with fingerprint support. Then I put my fingerprint then register with WebAuthn. Then my friend comes in, and he does the registration with his fingerprint. Then would the key(.response.attestationObject) be the same together because it's the same physical fingerprint or be different because it's different fingerprints?

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
sh9351
  • 33
  • 1
  • 9

1 Answers1

2

[Partial anwser here, I will be happy to see other answers from community members]

  1. The icon parameter has been removed from the new version of the specification.

It was a property with an a priori authenticated URL e.g. data::/ instead of https://

  1. Can you be more precise?

  2. A security key is usually used by only one user. New credentials are generated each time a user uses the key to register on an application. With the use case you mentions, 2 sets of credentials will be generated by the key and associated with biometric data. There is no chance for user 2 to be logged in as user 1

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64