WebAuthn credentials are always bound to a specfic relying party id (RP-ID) (=domain).
This relying party id is defined during the attestation dance (registration phase).
bnf/mfa_webauthn currently uses HOST_NAME as relying party id.
This is a key WebAuthn feature to prevent credential spoofing via faked domain names.
Usecase for configurable RP-IDs:
If the TYPO3 instance is available via https://*.mydomain.com, the webauthn spec allows the relying party id to either be instance.mydomain.com or mydomain.com.
The former will only allow credential-verification via instance.mydomain.com, the latter will allow verification via mydomain.com and all its subdomains.
WebAuthn credentials are always bound to a specfic relying party id (RP-ID) (=
domain).This relying party id is defined during the attestation dance (registration phase).
bnf/mfa_webauthncurrently usesHOST_NAMEas relying party id.This is a key WebAuthn feature to prevent credential spoofing via faked domain names.
Usecase for configurable RP-IDs:
If the TYPO3 instance is available via
https://*.mydomain.com, the webauthn spec allows the relying party id to either beinstance.mydomain.comormydomain.com.The former will only allow credential-verification via
instance.mydomain.com, the latter will allow verification viamydomain.comand all its subdomains.