Associating multiple public keys with webauthn user

Question

I'm implementing webauthn as a proof-of-concept.

I want my users to be able to login using several different "platform" authenticators. For example Windows Hello on their desktop computer and Face ID on their iPhone. Each authenticator will have its own public key that it sends to the RP that I'll store in a database.

When it comes time for the user to login (calling navigator.credentials.get()), how do I know on the server (RP) what public key to use? Or should I just try them all?

Having multiple devices for a single user seems to be a supported scenario according to https://www.w3.org/TR/webauthn/#usecase-new-device-registration so I'm guessing there is some sort of official or best-practice way of implementing this.

So, if a user has multiple public keys associated to it, how do I know which one to use when verifying the login/assertion signature?

Answer 1

When it comes time for the user to login (calling navigator.credentials.get()), how do I know on the server (RP) what public key to use? Or should I just try them all?

You got it right, you should try them all at the same time. That's why allowCredentials is a list, you can include multiple IDs. The response will tell you which one was picked.