[webauthn] The user-verification default of “preferred” is catching most sites out. (#1253) from Adam Langley via GitHub on 2019-07-03 (public-webauthn@w3.org from July 2019)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 Jul 2019 22:36:38 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-463981575-1562193397-sysbot+gh@w3.org>

agl has just created a new issue for https://github.com/w3c/webauthn:

== The user-verification default of “preferred” is catching most sites out. ==
With the launch of PIN support in Chrome 75, we received a bug report that Chrome was now asking for a PIN when logging into Google. It turns out that our server-side team had missed that the default value for userVerification was “preferred” and weren't setting a value. The user in question was unaware that their authenticator had a PIN set, but it did and thus we were asking for it.

Dropbox and Twitter also have no value set for userVerification and that appears to be the same error. (Indeed, it's unclear to me what site would want the behaviour of “preferred”.)

Given that this is catching everyone out, and that setting the default to “discouraged” is backwards compatible, perhaps we should do that.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1253 using your GitHub account

Received on Wednesday, 3 July 2019 22:36:40 UTC