W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2020

Re: [webauthn] Bio-Metric Authentication done by Another finger print (#1444)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Sat, 20 Jun 2020 18:07:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-647028148-1592676420-sysbot+gh@w3.org>
If I'm understanding your question correctly, you are registering a credential using a fingerprint but finding that someone else, whose fingerprint is not enrolled, can also pass the fingerprint check?

If so, can you say what authenticator you're using? I.e. is it a physical token plugged into a USB,  Touch ID on macOS, or something else?

Secondly, are you requesting [user verification](https://w3c.github.io/webauthn/#user-verification) when registering and asserting the credential? (I.e. with [this](https://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-userverification) parameter during registration and [this](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-userverification) one during assertion.)

If you're doing everything right, it's still possible that the fingerprint sensor on the authenticator is just bad and is producing a false positive result for the wrong fingerprint.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1444#issuecomment-647028148 using your GitHub account
Received on Saturday, 20 June 2020 18:07:03 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 20 June 2020 18:07:05 UTC