How to add support for multiple devices on an account?

[Whip]

Thanks for the library. So far I've managed to make it work well but on a single device only. A user can certainly use multiple devices to login to their account and I want to have a system where the site registers the new device and links it to the customer. Here's how it works:

• Step 1: New user signup on Android phone. New registration is created and after verification credentialId and public key is saved to the database. User 1: Name, email, phone, etc User device 1: User id, credentialId, public_key
• Step 2: Login on the same device. User provides their email. We fetch the credentialIds from the database, pass it to getGetArgs. Android prompts user to scan fingerprint, the user is authenticated.
• Step 3: Login from a windows computer. User enters their email and we fetch credentialIds, so far there's just one that belongs to their android phone. The response from getGetArgs is passed to navigator.credentials.get. Windows does not prompt user to scan fingerprint.

I believe there should be an option to check whether any of those credentialIds are on the device and return an exception if none is found. Then we can handle that by registering the new device. How would you handle this situation?

[lbuchs]

when using passkeys, the windows computer provides a qr code which can be scanned with the android device. Then the private key gets transmitted to the windows computer and the user can login from there too.

If you're not using passkeys, it would be a security risk to ask for adding a new device when there is no key saved on a device - If this would work, when I've got the username & password of a user I can easily login with it and add my computer to the account. If you want to support this case, you have to provide a alternative 2FA method (Email, SMS, ...) to ensure that the new computer is a device of the user.

[timcappalli]

when using passkeys, the windows computer provides a qr code which can be scanned with the android device

The private key does not leave the authenticator. An assertion is passed from the authenticator to the client.

[Whip]

So what I've implemented is to save a marker in localstorage that the user has signed in before. If I don't find that marker, i prompt the user to use another device in which case I execute 'getargs' with empty credential array, or if they want to register this device, I send a one time code to their email address to confirm their identity.

On Wed, Feb 7, 2024, 4:18 AM Tim Cappalli @.***> wrote:

when using passkeys, the windows computer provides a qr code which can be scanned with the android device

The private key does not leave the authenticator. An assertion is passed from the authenticator to the client.

— Reply to this email directly, view it on GitHub https://github.com/lbuchs/WebAuthn/issues/87#issuecomment-1930899383, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACYO5RG4M3PM6DD5G23WI5TYSKXK3AVCNFSM6AAAAABCZYQJS6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZQHA4TSMZYGM . You are receiving this because you authored the thread.Message ID: @.***>

[seanh0895]

when using passkeys, the windows computer provides a qr code which can be scanned with the android device

The private key does not leave the authenticator. An assertion is passed from the authenticator to the client.

Is it still CTAP2 with Passkeys?

[lbuchs]

CTAP 2.2 (Review Draft 01)