Yes, this is the intended behavior of the FIDO protocol - the credentialId is not sent in the attestation because the FIDO server is expected to know that. But, FIDO servers can optimize for that.
Topic:
Privacy & Security
SubTopic:
General
Tags: