Matthew Miller

icon indicating a website link https://blog.millerti.me

icon company Duo Security at @cisco-sbg icon location CA, USA icon location (a.k.a. IAmKale) I write lots of TypeScript, but am also quite fond of Python. A driving question: how can I make life easier for other devs? 🤔

Results 295 comments of Matthew Miller

Clarify how to differentiate between exceptions

You have to go digging into the spec to connect the pieces, but the spec definitely outlines discrete error scenarios that should be reliably detectable. For sake of discussion, I've...

Clarify how to differentiate between exceptions

From 11/1/23 WG meeting: There's definitely still a desire for this from RP's, CC'ing @nsatragno and @emlun to consider the idea that came up today about being able to include...

Clarify how to differentiate between exceptions

Another error use case to consider: - RP requires UV, but a user tries to use a U2F security key that doesn't support PIN. It would be useful to see...

Remove footgun related to random user IDs

I still think by default it's a good idea for me to generate completely random values when `userID` is omitted. However in your case there's nothing about what I'm proposing...

Remove footgun related to random user IDs

> I'm having some trouble with this - I let [py_webauthn](https://pypi.org/project/webauthn/) generate a user id from the backend (it gets encoded to "OPclcKTH6cjyjoRncpBrvKaepPz4eagbzFtOVnYCmANpUx0Vntm1lzlabOri5BF97CLNfTL440SIhbqwd459eQ") and then I'm converting that to a...

Remove footgun related to random user IDs

These changes are now available in the recently-published **@simplewebauthn/[email protected]**, **@simplewebauthn/[email protected]**, and **@simplewebauthn/[email protected]** ✌️

Remove footgun related to random user IDs

> The main use of the [user handle](https://www.w3.org/TR/webauthn-3/#user-handle) is to identify the [user account](https://www.w3.org/TR/webauthn-3/#user-account) in such [authentication ceremonies](https://www.w3.org/TR/webauthn-3/#authentication-ceremony), but the [credential ID](https://www.w3.org/TR/webauthn-3/#credential-id) could be used instead. The main differences are...

Remove footgun related to random user IDs

(That said I still personally think it's okay to simply look up users by credential ID; I haven't heard of anyone running into issues with this approach. It's stuff like...

Remove footgun related to random user IDs

> The user handle is not guaranteed to exist or exists in a different format for authenticators, that have been generated using previous registration options. The credential id is always...

largeBlob support?

Thanks for opening this issue @jbrower95, it's not a bad idea. There's definitely an opportunity here to simplify the use of `largeBlob` because the spec requires reading the description of...