Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding local-account ID into the userHandle of the passkey #3

Open
getify opened this issue Aug 22, 2024 · 2 comments
Open

Consider adding local-account ID into the userHandle of the passkey #3

getify opened this issue Aug 22, 2024 · 2 comments
Assignees
@getify
Labels
enhancement New feature or request

Comments

@getify
Copy link
Member

getify commented Aug 22, 2024

The user.id (aka userHandle) of a passkey is currently filled with the 32 bytes of the IV/seed value for the key, as well as 2 bytes for a counter. This leaves 30 bytes (max is 64 bytes) available.

Currently, the only linkage between a passkey credential and its local-account is via the localStorage entries. But if we put the accountID into the user.id / userHandle field pin those remaining 30 bytes, then a local-account ID is retrievable from any passkey authentication (even if the localStorage entry has been lost -- although that loss would have dropped the initial public-key for the credential, so verifications would no longer be possible).

Advantages:

  • more durable design (less reliant on localStorage)
  • more secure storage of the account ID than in localStorage -- although it likely would still be stored there for public-key verification purposes

Disadvantages:

  • backwards-incompatible breaking change -- though such risk is low, likely nobody is using this in production yet -- although the code could probably work around this by detecting the difference in length of returned userHandle values.
  • would imply a stricter limit on the maximum length of the account ID -- and maybe we shouldn't take up all 30 remaining bytes, in case we need more space for something else later?
  • account ID is not really "personally identifying information" so it's probably technically OK to put in this field, but it's maybe not as preferred.
@getify getify self-assigned this Aug 22, 2024
@getify getify added the enhancement New feature or request label Aug 22, 2024
@devYonz
Copy link

devYonz commented Aug 27, 2024

An added benefit is that password managers which allow you to access your passkey across devices will be able to sync the account id as well. This should make provisioning a new device easier for apps that would otherwise have to figure out the account being provisioned with some other means

@getify
Copy link
Member Author

getify commented Aug 27, 2024

Hmmm, that's an interesting point. The wallet is definitely planned to handle synchronization of the accounts/keys, so it would handle this. But yeah, it might make non-wallet out of band synchronization easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@getify getify

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@getify @devYonz