[webauthn] Clarify relation between requireUserVerification values for MakeCredential and GetAssertion (#1305) from Fabian Henneke via GitHub on 2019-09-21 (public-webauthn@w3.org from September 2019)

From: Fabian Henneke via GitHub <sysbot+gh@w3.org>
Date: Sat, 21 Sep 2019 15:47:09 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-496670110-1569080828-sysbot+gh@w3.org>

FabianHenneke has just created a new issue for https://github.com/w3c/webauthn:

== Clarify relation between requireUserVerification values for MakeCredential and GetAssertion ==
In [6.3.3 The authenticatorGetAssertion Operation, Step 7](https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion), it is specified that if user verification is performed, it has to be ensured that the user verified is the same as the user verified during the corresponding call to the `authenticatorMakeCredential` operation. As a consequence of this requirement, user verification had to be performed during the corresponding call to `authenticatorMakeCredential`, so that this part of the spec can only apply to the situation where `requireUserVerification` had been set to `true` for both calls.

Now there are three other cases for the combination of the values of `requireUserVerification` in the `authenticatorMakeCredential` and `authenticatorGetAssertion` calls, two of which I believe may not be handled in sufficient detail by the spec:

1. `requireUserVerification` set to `false` in both calls: No user verification required at any step, behaves analogously to plain U2F.
2. `requireUserVerification` set to `true` in `authenticatorMakeCredential` and to `false` in `authenticatorGetAssertion`: In this case, I think that it is not sufficiently clear whether the authenticator is expected to a) allow the use of the credential without performing user verification and note this by setting the UV flag to 0 or b) decline to use any credential created with user verification, potentially erroring out if there are no credentials that can be used without user verification.
3. `requireUserVerification` set to `false` in `authenticatorMakeCredential` and to `true` in `authenticatorGetAssertion`: Because of the requirement cited above, it is unclear how to treat this situation since it cannot be ensured that the current user is the one who created the credential, but at the same time user verification must be performed. Does this mean that an error should be returned and if so, which one?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1305 using your GitHub account

Received on Saturday, 21 September 2019 15:47:11 UTC