From 7fee0aace2596054add966326622a8fc63ed63c6 Mon Sep 17 00:00:00 2001 From: pilcrowOnPaper Date: Sat, 21 Sep 2024 20:02:43 +0900 Subject: [PATCH] add links --- pages/webauthn.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/webauthn.md b/pages/webauthn.md index daad5e6..31e2400 100644 --- a/pages/webauthn.md +++ b/pages/webauthn.md @@ -257,7 +257,7 @@ type ClientData struct { } ``` -Finally, create a new user with their public key and the credential ID. +Finally, create a new user with their public key and the credential ID. We recommend converting the COSE-encoded public key into one of the more compact and standard formats ([ECDSA](/cryptography/ecdsa#public-keys)). ## Authentication @@ -315,7 +315,7 @@ if clientData.Type != "webauthn.get" { Another difference is that the credential portion of the authenticator is not included. -Use the credential ID to get the credential's public key. **For 2FA, ensure that the credential belongs to the authenticated user.** Skipping this check will allow malicious actors to entirely skip 2FA. The signature is of the authenticator data and the SHA-256 hash of the client data JSON. For ECDSA, the signature is ASN.1 DER encoded. +Use the credential ID to get the credential's public key. **For 2FA, ensure that the credential belongs to the authenticated user.** Skipping this check will allow malicious actors to entirely skip 2FA. The signature is of the authenticator data and the SHA-256 hash of the client data JSON. For ECDSA, the signature is [ASN.1 DER encoded](/cryptography/ecdsa#pkix). ```go import (