W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] credentials.get() should have optional parameters for userVerification and userPresence

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Mon, 16 Oct 2017 22:57:13 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-337067688-1508194631-sysbot+gh@w3.org>
I think Jeff's enum way of describing things is the right model. I propose enum name of `userVerificationRequirement` with values of `Required`, 'NotRequired` and `AuthenticatorBehavior`, with default value being `AuthenticatorBehavior`.

- `Required`: Authenticator MUST enforce user verification and signature MUST
have `UV` bit set.

- `NotRequired`: Authenticator MUST not ask for user verification even if authenticator is capable of it. This if for scenario where touch is enough for RP and it does not want UI pops on authenticator or platform for ClientPin Case. May be in case it wants to use the authenticator as a second factor device.

- `AuthenticatorBehavior`: Platform performs the default behavior of authenticator and signature reflects that. It is kind of RP saying, tell me what you have and I will decide what level of authentication you can have or RP does not care about user verification but OK if it receives it as it ignores it. For Authenticators, which don't support user verification, it will not set "UV" bit set. For authenticators that can support user verification, platform will send such a request and signature will reflect "UV" bit.

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/629#issuecomment-337067688 using your GitHub account
Received on Monday, 16 October 2017 22:57:21 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC