webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Credential discovery is unclear

Open bobknowscode opened this issue 3 years ago • 0 comments

I have found it difficult to understand what Discoverable credentials really means and how credentials could be discovered from just a RP ID. I read the https://www.w3.org/TR/webauthn-3/ specification and reviewed the "Client-side discoverable Public Key Credential Source" section.

The issues are : What entity are responsible for finding the credential ID?
What happens if the user has a TPM, and 2 USB FIDO Authenticators attached to a local PC. What entity searches these for credentials? What if the user has 2 or more registrations with a relying party.

Proposed Change

Add to the standard a bounce diagram of non discoverable and discoverable cases?
Add to the standard what entities are responsible for finding credential IDs based on Relying Party ID. Add some discussion about multiple authenticators and 2 or more registrations with a relying party.

Thank you.

bobknowscode avatar Aug 26 '22 19:08 bobknowscode