Set User Handle to a salted hash or random

[seachicken]

The current User Handle (a.k.a user ID) is a hash of the user name.

line-fido2-server/rpserver/src/main/java/com/linecorp/line/auth/fido/fido2/rpserver/controller/CredentialController.java

Line 147 in 22d5aa9

byte[] digest = Digests.sha256(username.getBytes(StandardCharsets.UTF_8));

The documentation appears to recommend it with salted hash or random, so should we change that?

This includes hash values of personally identifying information, unless the hash function is salted with salt values private to the Relying Party, since hashing does not prevent probing for guessable input values. It is RECOMMENDED to let the user handle be 64 random bytes, and store this value in the user’s account.

https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-user-handle-privacy

[kj84park]

Yes, you are right.
Thank you for your opinion.

I think it would be better to provide a random value:slightly_smiling_face:

[kj84park]

Yes, you are right. Thank you for your opinion.

I think it would be better to provide a random value🙂

I realized that there might be a lot of parts that need to be fixed to provide random values.

I think we might have to find another way.