1Mar
storing user hashed password into webauthn id
I am building a pure client-side app.
My users have a .kdbx vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought about creating a Webauthn entry and storing the user-hashed password into the id field of it.
Later when calling verify, I will get this hashed password from the id response, and use it to open the vault.
I have seen several comments about not storing sensitive data in the id field, but can't find any evidence or description of an attack vector that can make it insecure.
What do you smart people think about it?
