Create user account before authentication during signup?

158 views
Skip to first unread message

Vipul Kapoor

unread,
Jun 1, 2024, 10:12:17 AMJun 1
to FIDO Dev (fido-dev)
In webauthn, you're supposed to provide a user id to `navigator.credentials.create` however when a user is signing up, they don't have an ID in my database. So does that mean that I should create their account as soon as they enter their name and email in the form and press Signup? Then I will have the user id and proceed with registering their device? Is this the correct flow?

Or do I create a random id?

My1

unread,
Jun 1, 2024, 11:00:14 AMJun 1
to Vipul Kapoor, FIDO Dev (fido-dev)
the userid should be random anyway, so you first create one randomly and store it together with the user.

Am Sa., 1. Juni 2024 um 16:12 Uhr schrieb Vipul Kapoor <vi...@glowingstonewebsites.com>:
In webauthn, you're supposed to provide a user id to `navigator.credentials.create` however when a user is signing up, they don't have an ID in my database. So does that mean that I should create their account as soon as they enter their name and email in the form and press Signup? Then I will have the user id and proceed with registering their device? Is this the correct flow?

Or do I create a random id?

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ebb75843-21c0-460d-9704-0fba025e502dn%40fidoalliance.org.

Ye Htut

unread,
Jun 1, 2024, 3:02:19 PMJun 1
to Vipul Kapoor, FIDO Dev (fido-dev)
On Sat, 1 June 2024, 8:42 pm Vipul Kapoor, <vi...@glowingstonewebsites.com> wrote:
In webauthn, you're supposed to provide a user id to `navigator.credentials.create` however when a user is signing up, they don't have an ID in my database. So does that mean that I should create their account as soon as they enter their name and email in the form and press Signup? Then I will have the user id and proceed with registering their device? Is this the correct flow?

Or do I create a random id?

--

Vipul Kapoor

unread,
Jun 2, 2024, 5:46:11 AMJun 2
to Arshad Noor, FIDO Dev (fido-dev)
Thanks for your input. I'm talking about the publicKeyCredentialCreationOptions.user.id here  Guide to Web Authentication (webauthn.guide)

I'm planning to use the unique id (primary key) from the user table of my database. For that I'll have to create user's account before starting the webauthn registration process. 

On Sun, 2 Jun 2024 at 15:06, Arshad Noor <arsha...@strongkey.com> wrote:
A lot depends on the purpose of the "ID", Vipul.

If you are in a regulated environment (fintech, health, etc.), then you
have to do some levels of "know your customer" (KYC) verification before
you on-board that user and create a FIDO credential.

If you are in an unregulated environment, where you pretty much don't
care what user ID they choose (as long as it is unique), then you can
prompt them for something, check if it exists within your FIDO database
and proceed from there.

Recognize that "ID" can be confusing in the FIDO ecosystem - there is
something called a "credential ID", generated by Authenticators and used
internally by its firmware to manage credentials (key-pairs). There is a
lot written about "discoverable credentials" where users can
authenticate without even providing a "user ID" - but what they're
referring to is the "credential ID" known to the Authenticator.

But IMO, it is a good idea to still ask the user to provide an ID
recognizable to them, and then go through the registration flow - you
can see this in the StrongKey Discover webapp at
https://demo.strongkey.com - which you can also download to review its
source code as an example.

Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org

> To view this discussion on the web visit


--
VIPUL KAPOOR | Director
Glowing Stone
+91 8448 3639 48 | glowingstonewebsites.com

My1

unread,
Jun 2, 2024, 6:14:55 AMJun 2
to Vipul Kapoor, Arshad Noor, FIDO Dev (fido-dev)
yeah I expected that you mean that. here some W3C stuff about that:


specifically the third link recommends to just use 64 bytes of random data and be done with it.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFJ%2B-2BfsBhgda2F7AUkVVKEA2V062wfMA-P9TY8MmAFT6hMJQ%40mail.gmail.com.

Arshad Noor

unread,
Jun 2, 2024, 10:38:24 AMJun 2
to Vipul Kapoor, FIDO Dev (fido-dev)
A lot depends on the purpose of the "ID", Vipul.

If you are in a regulated environment (fintech, health, etc.), then you
have to do some levels of "know your customer" (KYC) verification before
you on-board that user and create a FIDO credential.

If you are in an unregulated environment, where you pretty much don't
care what user ID they choose (as long as it is unique), then you can
prompt them for something, check if it exists within your FIDO database
and proceed from there.

Recognize that "ID" can be confusing in the FIDO ecosystem - there is
something called a "credential ID", generated by Authenticators and used
internally by its firmware to manage credentials (key-pairs). There is a
lot written about "discoverable credentials" where users can
authenticate without even providing a "user ID" - but what they're
referring to is the "credential ID" known to the Authenticator.

But IMO, it is a good idea to still ask the user to provide an ID
recognizable to them, and then go through the registration flow - you
can see this in the StrongKey Discover webapp at
https://demo.strongkey.com - which you can also download to review its
source code as an example.

Arshad Noor
StrongKey

On 5/31/24 11:51 PM, Vipul Kapoor wrote:

Eka Intan

unread,
Jul 25, 2024, 11:03:01 AMJul 25
to FIDO Dev (fido-dev), Arshad Noor, Vipul Kapoor

Sophia Liam

unread,
Jul 27, 2024, 3:20:15 AMJul 27
to FIDO Dev (fido-dev), Vipul Kapoor

Yes, you’ve got the right idea. In the WebAuthn flow, you need a unique user ID to associate with the credentials being created. Here’s a more detailed breakdown of the process:

1. **User Sign-Up**: When a user enters their name and email and presses "Sign Up," you should create their account in your database at this point. This allows you to generate a unique user ID for them.

2. **Generate User ID**: After creating the user account, you can then generate or retrieve a unique user ID for that user.

3. **Register Device**: With the user ID now available, you can proceed with the WebAuthn registration process. You would call `navigator.credentials.create()` with the necessary parameters, including the user ID.

This ensures that the WebAuthn registration is correctly associated with a specific user in your system.

For more detailed guidance on integrating WebAuthn and handling these processes, I would recommend visiting Rahimsoft where you can find additional resources and support tailored to related topics.

Juana Daniel

unread,
Jul 30, 2024, 1:30:51 AMJul 30
to FIDO Dev (fido-dev), Vipul Kapoor
Yes, your understanding is correct. In the WebAuthn flow, you need a user ID to provide to `navigator.credentials.create`. Therefore, the typical approach is to create the user's account in your database as soon as they enter their name and email in the signup form and press "Signup." This initial account creation gives you the necessary user ID, which you can then use to proceed with registering their device.

Here’s a step-by-step outline of the process:

1. **User enters name and email**: User fills out the signup form with their name and email.
2. **Create account in the database**: As soon as the user submits the form, create a new user record in your database. Generate a unique user ID at this point.
3. **Proceed with WebAuthn registration**: Use the newly created user ID in the call to `navigator.credentials.create` to register the user's device.

By following this flow, you ensure that you have a user ID for the WebAuthn process.

For more insights and detailed explanations on topics like this, you might find resources from artistapirata helpful.

On Saturday, June 1, 2024 at 7:12:17 PM UTC+5 Vipul Kapoor wrote:
Reply all
Reply to author
Forward
0 new messages