W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2019

Re: [webauthn] Enforce specific user verification methods (#1211)

From: John Bradley <ve7jtb@ve7jtb.com>
Date: Mon, 17 Jun 2019 22:52:55 -0400
To: public-webauthn@w3.org
Message-ID: <c7d47445-2ac7-fe51-0665-879d7dd28bcb@ve7jtb.com>
If the RP forces a UV method that the user cant override you are more
likely to have users in a situation where they cant sign-in.

I have seen banks ask to override fingerprint and force pin, for a
higher level of security. 

Biometrics on most devices wont stop any sort of sophisticated phisical
attacker.

Mostly you are counting on the user keeping the device out of the hands
of the attacker and the biometric preventing casual or accidental misuse
of the credential. 

It is probably best to let the device default to the UV method the user
prefers and sets locally.

I know on Android the authenticator is currently hard coded to
fingerprint with a pin fallback, that will be changing in future so that
any authenticator integrated into the Android biometric API that works
for screen unlock will work as the Fido second factor.

Honestly I think in general RP's trying to override the users settings
is bound to go wrong in most cases.

John B.


On 6/15/2019 8:58 AM, Tom Scavo wrote:
> On Sat, Jun 15, 2019 at 3:43 AM Hidehito Gomi via GitHub
> <sysbot+gh@w3.org> wrote:
>> For example, let's consider a case in which a user browses a recipe site while she is cooking. In this case, it is difficult for her to use the finger to sign in to the site.
> Great use case :-)
>
>> If the RP knows this situation about her...
> How can the RP know that fingerprint is not an option?
>
> Tom
>
>
Received on Tuesday, 18 June 2019 02:53:21 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:37 UTC