User friendly credential ID string for troubleshooting

[timcappalli]

Proposed Change

Troubleshooting WebAuthn with end users can be difficult, especially remotely (e.g. a chat or call). Most WebAuthn credential identification done today is via either user-provided friendly names, or automatically generated names based on AAGUID. This isn't super useful to support folks when troubleshooting as they don't uniquely identify the credential to both the user and the RP support staff. Today, the only other real option is for an RP ID to show the credential ID, and authenticators would need to do this same. Credential IDs are variable in length and are often long, making them not very user friendly.

A basic method would be to concat the RP ID and credential ID, SHA-256 hash it and then return the last 6 characters.

sha256(rpId, credentialId)

import { createHash } from 'crypto';

const concatenateAndHash = (str1: string, str2: string): string => {
    const concatenatedString = str1 + str2;
    const hash = createHash('sha256').update(concatenatedString).digest('hex');
    return hash.slice(-6); // Get the last 6 characters
};

const result = concatenateAndHash("webauthn.io", "SwAuYQuh0LlVDdH7sQVsDQ");
return result;

Result: b4c52f

Why define in WebAuthn?

While this proposal would not change the shape or function of the WebAuthn API, this string needs to be consistent across authenticators, clients, and Relying Parties, so defining the derivation of the user friendly identifier is important. WebAuthn is the logical home for this. The spec would simply define the derivation procedure above and potentially give this thing a name (e.g. "Key ID").