smessmer
commented
11 months ago yes, this would be useful. We're currently doing this by generating a login challenge that looks like generated by webauthn-rs but was actually manually generated outside of the library, with a credential id that is random but more-or-less-stable for the user, rotation is something to consider here as well. It works, but has the potential to get out of sync with how webauthn-rs formats its challenges and even a single whitespace change could tip off adversaries that it is a dummy challenge.
Some IDP's wish to "hide" their users names during login, so they will present a false dialog prompt that says "username/password" incorrect. This can work with rk's because webauthn sends an empty allowed credential id list. But if a user does have credentials that aren't rk, they are listed.
In this case we should be able to "synthesise" random credentials from a seed + username so that it "appears" there are credentials to any/every username, even though they aren't actually true or viable credentials.