1Mar
storing user hashed password into webauthn id
I am building a pure client-side app.
My users have a .kdbx
vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought about creating a Webauthn entry and storing the user-hashed password into the id
field of it.
Later when calling verify, I will get this hashed password from the id
response, and use it to open the vault.
I have seen several comments about not storing sensitive data in the id
field, but can't find any evidence or description of an attack vector that can make it insecure.
What do you smart people think about it?