Re: [webauthn] Enforce specific user verification methods (#1211)

>@hgomi53:
>For example, let's consider a case in which a user browses a recipe site while she is cooking. In this case, it is difficult for her to use the finger to sign in to the site.
>
>If the RP knows this situation about her, it would like to specify "voice'' or "face'' as a UVM in the Authenticator Selection extension of an authn request (excluding the fingerprint UVM). This should contribute to better user experience for her than that of her selecting one among verification options.

For use cases like this I think it should be up to the client and authenticator to provide those options in a usable way, it should not be the RP's decision to limit the options based on what the RP thinks the user is doing. That is bound to create a frustrating user experience if the user can't override the RP's guesswork, and even if the RP would allow some configuration of this behaviour, at that point we're just stacking up more and more complexity to solve something that shouldn't be a problem in the first place.

I think a better motivation is security requirements on UV methods, but I'm not convinced that's a big issue either. If an RP cares about the UV method for security reasons, then they necessarily also require device attestation and can already enforce that only authenticators with allowable UV methods are used.

>@kieun:
>For usability (to avoid mislead), RP wants to disallow local pattern or PIN for the authentication. Because sometimes users cannot distinguish between online authentication and local authentication.

This is an interesting point, but again I think it should probably be the client's responsitbility to help the user make this distinction.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1211#issuecomment-502625413 using your GitHub account

Received on Monday, 17 June 2019 10:22:26 UTC