- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 23 Oct 2017 11:24:38 +0000
- To: public-webauthn@w3.org
Great, I hope I didn't come across as condescending. :) WebAuthn does [mention use of fingerprints][uv] as an example of user verification, but leaves the implementation unspecified and up to the authenticator - probably the browser or OS in the case of Android fingerprint scanners. The API available to the Relying Party is that it can [request user verification][req-uv], and the authentication operation will simply fail if the user can't provide the right fingerprint. Whether to use fingerprints specifically - or something else like PIN, password, face, iris, voice, whatever - is up to the authenticator and opaque to the RP, so if an authenticator such as a smartphone supports multiple verification methods it may allow the user to choose per request which authentication method to use. In summary: If you as an RP use the WebAuthn API and request user verification, you **won't need to do anything else** to support fingerprint login - the client side will take care of that for you _if it's capable_. On the other hand you won't be guaranteed fingerprint verification specifically, but instead it will automatically fall back to any other verification method available without any change on the RP side. Does that answer your questions? [uv]: https://www.w3.org/TR/webauthn/#user-verification [req-uv]: https://www.w3.org/TR/webauthn/#dom-authenticatorselectioncriteria-uv -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/659#issuecomment-338628539 using your GitHub account
Received on Monday, 23 October 2017 11:24:40 UTC