Re: [webauthn] Clarify relation between requireUserVerification values for MakeCredential and GetAssertion (#1305) from Fabian Henneke via GitHub on 2019-10-04 (public-webauthn@w3.org from October 2019)

From: Fabian Henneke via GitHub <sysbot+gh@w3.org>
Date: Fri, 04 Oct 2019 19:06:43 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-538523978-1570216002-sysbot+gh@w3.org>

Removing the requirement that the UV flag being set indicates that the same user has been verified sounds like a big change, but does seem entirely correct to me. The UV flag being returned in both a MakeCredential and a matching GetAssertion request would just mean that the authenticator verified *some* user each time, not necessarily the same one. The matching between the two verified users could then be delegated entirely to the `uvi` extension. Is this the route you are planning to take for the PR?

-- 
GitHub Notification of comment by FabianHenneke
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1305#issuecomment-538523978 using your GitHub account

Received on Friday, 4 October 2019 19:06:45 UTC