FIDO2/Webauthn userhandle: does it mean anything

52 views
Skip to first unread message

Philipp Junghannß

unread,
Oct 7, 2021, 5:19:25 AMOct 7
to FIDO Dev (fido-dev)
Hello, I just have a simple question.

Is there literally any point to the user handle you get with WebAuthn/FIOD2? because isnt the credentialID already enough to identify the credential and then tack that to the user via a backend database, which you need anyway?

It seems just kinda redundant to me.

Regards.

nuno sung

unread,
Oct 7, 2021, 6:15:02 AMOct 7
to FIDO Dev (fido-dev), My1
Multiple accounts per RP
I thinks this is an example that Microsoft uses the same rpid "login.microsoft.com" for their many services, then different user.id can be mapped to different user under different services. Another benefit is to allow RP to prevent an authenticator to re-register to the same user.id.

My1 在 2021年10月7日 星期四下午5:19:25 [UTC+8] 的信中寫道:

Philipp Junghannß

unread,
Oct 7, 2021, 6:25:54 AMOct 7
to nuno sung, FIDO Dev (fido-dev)
Multiple users per service aren't an issue considering that you still get the credential id, and for re-registering the same you have exclusion lists

Emil Lundberg

unread,
Oct 7, 2021, 7:21:38 AMOct 7
to Philipp Junghannß, nuno sung, FIDO Dev (fido-dev)
You're right that it fills largely the same role as the credential ID. The main difference is that the user handle is chosen by the RP, unlike the credential ID which is chosen by the authenticator, so the user handle gives the RP more control over how to structure their database.

And also note that the user handle is (at least intended to be) the same for all of a user's credentials, unlike the credential ID which is unique per credential (maybe obvious, but I've seen that be a point of confusion sometimes).

Emil Lundberg

Software Engineer | Yubico




--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNqR13kjmxKjuWEKL%2BM7mGGF4XToNk0MNspmEheMAiZ6JQ%40mail.gmail.com.

nuno sung

unread,
Oct 7, 2021, 7:46:49 AMOct 7
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), nuno sung
Sure RP can handle these requirements with credential id only just as U2F protocol.
However, the use of user handle can ensure that these requirements are met at in authenticator side.
My1 在 2021年10月7日 星期四下午6:25:54 [UTC+8] 的信中寫道:

Eldan Ben-Haim

unread,
Oct 7, 2021, 8:03:25 AMOct 7
to Philipp Junghannß, FIDO Dev (fido-dev)
User handles can also be used to "overwrite" registration of resident credentials -- as opposed to exclusion lists.
By sending the same user handle in multiple registration requests, the registered credentials in an RK will overwrite each other.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages