Passkey Credential ID, User Name, User ID, User Handle
vdelitz
Posted on January 5, 2024
Introduction
In the world of WebAuthn and passkeys, there’s always a lot of ambiguity and uncertainty when it comes to terminus. In particular, there are many misconceptions about WebAuthn Credential ID, WebAuthn User Name, WebAuthn User ID, WebAuhn User Handle and WebAuthn User Display Name.
This article should help you understand better what the terms mean and how they distinguish from each other.
WebAuthn Credential ID
During the registration of a new credential (passkey), an authenticator like a smartphone or hardware key creates a unique WebAuthn Credential ID. This ID is crucial for passkey authentication as it helps to uniquely identify each passkey. In essence, every Credential ID is distinct and tied to its specific passkey.
WebAuthn User ID
The WebAuthn User ID (user.id) is set by the relying party (RP) to represent a user in their system, crucial for linking users to their passkeys. During registration, this User ID is given to the authenticator and attached to the new passkey. It’s vital for distinguishing credentials between users, particularly in multi-user setups. Each User ID is unique within the RP’s system and consistent across all of a user’s passkeys, ensuring secure and uniform identification during authentication.
WebAuthn User Handle
The User Handle (response.userHandle) in passkey authentication, set by the relying party, represents the user account in their system. It’s the same as the User ID (user.id) but is named User Handle in the authenticator’s response. This handle links credentials (passkeys) to a user account, especially for resident keys, and is stored by the authenticator. Though not unique like Credential ID, the User Handle associates multiple Credential IDs with a single user, playing a key role in managing and updating credentials during the registration process.
WebAuthn User Display Name
The WebAuthn User Display Name (user.displayName) is a user-chosen, readable name for display in the app interface, not for authentication. It enhances user experience by providing a familiar, human-readable identifier, like a real name or nickname. Developers and product managers should understand that it’s for user convenience and personalization, not a secure authentication identifier. It’s advised not to overly restrict the user’s choice for this display name.
WebAuthn User Name
The WebAuthn User Name (user.name) is a unique identifier within the RP’s system, crucial in scenarios where users might have similar Display Names. It’s used in the authentication process and can be an email, username, or any unique ID, ensuring each account is distinctively linked to its credentials. This name is vital for maintaining authentication integrity, especially when different accounts have similar Display Names. It can be any arbitrary string, offering flexibility in user identification.
Conclusion
We hope the the list and definitions above helped you to better understand the terms and how dinstiguish from each other. To get more insights and see practical examples, please take a look at the full blog post here.
Posted on January 5, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.