username and displayName - empty allowed?

[Philipp Junghannß]

quick question:

I am currently building basically a FIDO server API to throw the certification tool at a library, and one thing I am unsure with is how what is basically a user-chosen string being "required" affects stuff. 

basically, according to https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#registration-primary-idl (latest fido server spec I found, not sure if there's a newer one) the username and displayName are required, but are empty strings okay or would I need to throw an error if the field is set but with en empty string?

Regards

My1

[Dani Mező]

Hi My1,

I think usernameless authentication should be possible, i.e. an assertion is generated by the client, which is only at the end of the ceremony gets to be associated with an actual user. That is in the end of the day the purpose of authentication, to tell who the user actually is. If you want to be conformant, and you also want to support this use-case then you should indeed allow empty usernames. If your question is rather how the conformance tool behaves with empty usernames (whether it sends them or not), I do not know that.

As for registration, empty usernames and displayNames do not make sense to me, since you need to associate the credential with an account at the server side. Although, I guess that could be done with cookies and with pre-authentication with another credential? But even in that case, the user is basically known..

Cheers, Daniel

[Philipp Junghannß]

not quite what I was going for.

when going for an RK login you leave out the entire user sub-object iirc, also in registration that part isn't optional. (empty and not existing are 2 different things, either I am not declaring a user/display name in the first place, or I am explicitly setting it to not contain any text)

I was just thinking that considering that username and displayname are only useful in certain cases (on the authenticator in the case of resident creds, the server doesnt need to care about them kinda at all) that this hasnt been mentioned so far.