- From: John Bradley <ve7jtb@ve7jtb.com>
- Date: Mon, 17 Jun 2019 22:52:55 -0400
- To: public-webauthn@w3.org
If the RP forces a UV method that the user cant override you are more likely to have users in a situation where they cant sign-in. I have seen banks ask to override fingerprint and force pin, for a higher level of security. Biometrics on most devices wont stop any sort of sophisticated phisical attacker. Mostly you are counting on the user keeping the device out of the hands of the attacker and the biometric preventing casual or accidental misuse of the credential. It is probably best to let the device default to the UV method the user prefers and sets locally. I know on Android the authenticator is currently hard coded to fingerprint with a pin fallback, that will be changing in future so that any authenticator integrated into the Android biometric API that works for screen unlock will work as the Fido second factor. Honestly I think in general RP's trying to override the users settings is bound to go wrong in most cases. John B. On 6/15/2019 8:58 AM, Tom Scavo wrote: > On Sat, Jun 15, 2019 at 3:43 AM Hidehito Gomi via GitHub > <sysbot+gh@w3.org> wrote: >> For example, let's consider a case in which a user browses a recipe site while she is cooking. In this case, it is difficult for her to use the finger to sign in to the site. > Great use case :-) > >> If the RP knows this situation about her... > How can the RP know that fingerprint is not an option? > > Tom > >
Received on Tuesday, 18 June 2019 02:53:21 UTC