Required UserHandle upon WebAuthn Authententication

Skip to first unread message

Dani Mező

Oct 20, 2021, 11:05:02 AM10/20/21
to FIDO Dev (fido-dev)
Hi devs, Yuriy,

One of my collegue noticed a discrapency between the Confromance Test Api and the WebAuthn spec as follows.
In the api [1], the user handle is required:

dictionary ServerAuthenticatorAssertionResponse : ServerAuthenticatorResponse {
     required DOMString clientDataJSON; 
     required DOMString authenticatorData; 
     required DOMString signature; 
     required DOMString userHandle; 

While in the spec [2], it is nullable:

     [SameObject] readonly attribute ArrayBuffer authenticatorData
    [SameObject] readonly attribute ArrayBuffer signature
    [SameObject] readonly attribute ArrayBuffer? userHandle

This is interesting, because some browsers and authenticators do return a null userhandle. What is the idea behind it being required? Should it be injected artificially there by the JS client?

Thank you for the responses,
Daniel Mező

Philipp Junghannß

Oct 20, 2021, 11:14:11 AM10/20/21
to Dani Mező, FIDO Dev (fido-dev)
Also notably is that it is practically not needed usually, as the credentialID can bw used to uniquely identify the credential which is then likely mapped to the user anyway in the database

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Shane Weeden

Oct 20, 2021, 4:53:59 PM10/20/21
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Dani Mező
There is a previous thread on this topic with more of a discussion around user handle:

In my experience the user handle is only provided in the results from navigator.credentials.get when using discoverable credentials.


nuno sung

Oct 21, 2021, 1:10:51 AM10/21/21
to FIDO Dev (fido-dev), Shane Weeden, My1, FIDO Dev (fido-dev), Dani Mező
ctap2 spec has the definition for related cases to return or not(optional)
PublicKeyCredentialUserEntity structure containing the user account information

Shane Weeden 在 2021年10月21日 星期四上午4:53:59 [UTC+8] 的信中寫道:
Reply all
Reply to author
0 new messages