about registering different user handle to authenticator in WebAuthn with CTAP2

[Kazuki Yoneyama]

Hello,

I have a question about the specification of the registration phase of WebAuthn with CTAP2. Interpreting the WebAuthn protocol regarding the description in the paper, it seems that even if the user handle sent from the client to the authenticator was different from the one sent by the Relying Party to the client, the authenticator would accept it as is, is this not a problem in practice?

Regards,

Kazuki

[Emil Lundberg]

How would the authenticator know the difference? The authenticator never communicates directly with the RP, only with the client.

Emil Lundberg

Senior Software Engineer | Yubico

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f9c10706-4c82-4621-ae54-f0a36a7e1c5dn%40fidoalliance.org.

[Kazuki Yoneyama]

Thank you for your response.

In the authentication phase of WebAuthn, the user handle stored at the authenticator is sent to the Relying Party via the client, and the Relying Party locates the public key credential from the received user handle. So, my concern is if a different user handle than one generated by the Relying Party is used, it seems the Relying Party can't locate the correct credential.

Regards,

Kazuki

2023年3月27日 21:29:46 UTC+9 Emil Lundberg:

[Emil Lundberg]

That is correct, the authentication ceremony would fail in that case.

(Of course, the RP could also choose to look up the credential by the credential ID alone. But a malicious or malfunctioning authenticator or client could corrupt the credential ID just as easily as it could corrupt the user handle.)

Emil Lundberg

Senior Software Engineer | Yubico