W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] credentials.get() should have optional parameters for userVerification and userPresence

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Fri, 13 Oct 2017 21:43:35 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-336574658-1507931000-sysbot+gh@w3.org>
**Regarding Silent signatures and user presence:**

- Thinking more about this, silent signatures from web should not be allowed due to privacy reasons. User presence should always be there similar to current U2F model. U2F does not allow silent signatures and that IMO is the right security model. Silent signatures can detect user accounts without user knowing and IMO, user should always know if someone is trying to detect their accounts.

**Regarding User verification:**

RP does not know what kind of authenticators user has currently plugged in as well as future dynamic authenticators user will plug in/TAP/etc. So it can't make any authenticator based decision beforehand. 

- If RP care about user verification and authenticator by default is capable of it, platform will ask for user verification from the authenticator, signature will reflect user verification and RP is happy.

- If RP care about user verification but authenticator is not capable of it, RP can reject such signature without UV bit when it receives.

- If RP does not care about user verification but is OK if it gets it as part of signature due to default authenticator behaviour, it can simply ignore UV bit. 

- If RP does not want user verification to happen even if authenticator is capable of doing user verification and only care about user presence, I propose to introduce one boolean variable called `UVNotRequired`. This way, platform will only send "UP" to authenticator even if authenticator is capable of user verification if it sees this variable set to true.

**Proposal:**
Introduce boolean variable `UVNotRequired` to `get` method which can be set to `true` if RP does not want user verification. Default behavior is of this variable is `false` and in that case platform will follow default authenticator semantics.


-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/629#issuecomment-336574658 using your GitHub account
Received on Friday, 13 October 2017 21:43:23 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC