Credential_id limit exceeded

Since I do not have a supported hardware authenticator, but have a TPM fingerprint reader on my notebook, I use a tool to bridge TPM to FIDO which is used for WebAuthn: GitHub - psanford/tpm-fido: A WebAuthn/U2F token protected by a TPM (Go/Linux)

When trying to create an identity, it works until after the captcha but then shows the following error:

We couldn’t reach Internet Identity

We failed to call the Internet Identity service, please try again.

Error details:

Call was rejected: Request ID: ***** Reject code: 5 Reject text: Canister rdmx6-jaaaa-aaaaa-aaadq-cai trapped explicitly: failed to register anchor *****: credential_id limit exceeded: length 246, limit 200

Is this somehow fixable maybe?

1 Like

Hi @SapereAude

Thanks for the report. The credential ID is an opaque byte array which should uniquely identify the credential. Usually the lengths of credential IDs is well below 100 bytes, and we allow a generous 200 bytes limit (unfortunately the spec does not impose a max length on WebAuthn implementations).

So the error message indicates that you tried registering a credential with a 246 bytes credential ID which seems excessively long. Could you perhaps change the configuration of the tool to issue shorter credential IDs? How long is the public key created by your tooling?

Thank you for the quick response!

I am not a cryptographer and try to stay away of messing with the details of security implementations (e.g. trying to cut the credential string). I just use the tool mentioned above. TPM works quite different from FIDO (see Webauthn in Linux with a TPM via the HID gadget | James Bottomley's random Pages) but actually seems to be a more secure, but at least a valid approach.

So to support the fingerprint reader on the free Linux (as you do on closed-source Win and macOS) might be a good move in order to win more devs in the community? Maybe you can check out the links and decide whether its worth to extend the limit a bit? Shouldn’t be a big deal from a technical point of view at least, but I’m not the export to understand the security details.

I have a Linux machine and some experience with crypto including TPMs and FIDO. But I haven’t tried using the fingerprint reader on any of my machines. I’ll try to get some time to look into this. But I am a bit snowed under at the moment, unfortunately not with real snow that one can ski on, so it may take a while before I get to this. If you have any further details that might be helpful when I get to this, please let me know. Many thanks for your report and, in advance, for your patience.

Thank you! Maybe the only information in addition is, that I tested the above mentioned solution successfully with However, I was not required to actually scan the fingerprint - it just uses the TPM for the auth key handling.

I was just looking for any possibility to use II in order to access and test your demo apps without having big-tech devices available. Maybe there are other, simpler fake/mock/emulator solutions you probably use in one way or another in your testing pipelines?

Hi, any news here? Thx!

This could be an alternative solution, although I was not able to test it on my setup: Bulwark Passkey

Maybe someone can confirm this is working with IC? It would lower the barrier for people on Linux who do not have a hardware token.

With reference to an alternative solution at Beginners Question: Accessability and Usability - #6 by SapereAude this topic can be closed.