Comments (4)
In principle, a security key can display the username for which it is requesting authentication, which is why it is there. I've not heard of anything that does this.Nevertheless it is part of the spec that a username as well as id userid is part of the challenge process (actually there are three - user id, name and display name, but I used $username for both name and display name).
Unless you are doing something that only lets you in and no one else, you would surely have a user name of some kind (perhaps their email address) in whatever back end database you are using identifying who is being registered. If you really are protecting something that relies only on the key, and not them giving a user name, then I think you could put anything here IIRC, but you'd have to have some way to identify the key used. Currently this code only verifies the key against keys registered for a set of usernames, it doesn't identify an account based purely on the key used.
BTW, my apologies, this morning I accepted several pull requests which contain breaking changes. They were regularising the code using class and function name conventions, which change the locations of files, class names, function names (camel case) and the namespace (\davidearl => \Davidearl). The old code is in branch 0.1.0, but I suggest updating while the code is still relatively new.
from webauthn.
there are no worries, I thank you for your work. What I wanted to say is that if we want to add this type of authentication in an application that already manages authentication by login / password, these parameters are useless? thank you
from webauthn.
The id certainly isn't useless - it is used as part of the information that is passed to the key to generate a response (otherwise the same key could be used as a second factor with any account on the same system, which defeats the point of it).
The name is required by the webauthn spec, but I have not seen it used as the spec suggests, that it is displayed to the person doing the authentication, but that's only because there aren't many kinds of key around yet I think. You do need to provide it, as the key expects to receive it. This isn't an invention of this code, it comes from the spec of what the key (or the code that accesses the key - most keys are passive I think) expects to be provided with. You might consider it useless, given the keys we currently have, but the spec demands it.
from webauthn.
@davidearl ok thank you
from webauthn.
Related Issues (20)
- Make 'cross-platform' an option
- How to manage multiple authenticators per user? HOT 2
- TypeError: Element of 'transports' member of PublicKeyCredentialDescriptor 'internal' is not a valid value for enumeration AuthenticatorTransport.
- register each yubikey only once HOT 2
- Dissallow reusing login payloads HOT 1
- importing the library HOT 2
- Icon in rp
- Bio-metric Authentication HOT 12
- Trim unnecessary stuff HOT 2
- Timeout not implemented? HOT 2
- iphone safari browser is not working HOT 8
- Windows + FIDO + Securitykey return fmt as packed in the attestationobject
- `composer require` fails with InvalidArgumentException HOT 2
- Firefox has started returning an error on registration HOT 1
- Safari: registration failed: Bad Request: cannot decode key response (5) HOT 3
- Setting unknown property: appid for local host HOT 4
- 500 / Couldn't initiate registration HOT 2
- phpseclib3 HOT 4
- Multiple Keys per user HOT 3
- couldn't initiate login: SyntaxError: Unexpected end of JSON input: HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.