Skip to main content

Solve the re-registration issue

We build the Authentication Cloud API on the WebAuthn API. For security reasons, the WebAuthn API does not let existing authenticators in devices to be listed.

The security feature comes with an issue: the same device can be registered to the same user multiple times, each time with a new authenticator.

The issue

It can be confusing and frustrating to the user if they are guided to re-register their device multiple times, instead of just authenticating conveniently. It is in your portal's interest to reuse existing authenticators.

This is an issue because in Authentication Cloud, a user can have maximum ten FIDO2 devices. We set up this limit to restrict the number of these re-registrations.

Before allowing the user to register a new FIDO2 device, we recommend to first fetch and display all registered FIDO2 devices of the user, and ask them to select which device they want to use for the current authentication.

  • When the user selects one of them, proceed with authenticating the user.
  • If the user does not recognize any of the displayed registered devices, or no devices are registered, allow registering a new one.

Fetch all registered FIDO2 devices of the user

Retrieve the user using the Authentication Cloud API, containing all authenticators.

Among authenticators, FIDO2 authenticators are identified by the fido2 value of the authenticatorType attribute.

{
"authenticatorId": "339fa80a-a012-44c4-829e-82b3966f6ab0",
"name": "My Windows Laptop",
"authenticatorType": "fido2",
"state": "active",
"enrolledAt": "2022-02-10T06:59:17Z",
"updatedAt": "2022-02-10T06:59:17Z",
"fido2": {
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36",
"rpId": "example.com",
"aaguid": "08987058-cadc-4b81-b6e1-30de50dcbe96",
"userVerificationRequirement": "preferred",
"attestationConveyancePreference": "direct",
"residentKeyRequirement": "discouraged"
}
}