Re: [webauthn] Bio-Metric Authentication done by Another finger print (#1444) from Adam Langley via GitHub on 2020-06-20 (public-webauthn@w3.org from June 2020)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Sat, 20 Jun 2020 18:07:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-647028148-1592676420-sysbot+gh@w3.org>

If I'm understanding your question correctly, you are registering a credential using a fingerprint but finding that someone else, whose fingerprint is not enrolled, can also pass the fingerprint check?

If so, can you say what authenticator you're using? I.e. is it a physical token plugged into a USB,  Touch ID on macOS, or something else?

Secondly, are you requesting [user verification](https://w3c.github.io/webauthn/#user-verification) when registering and asserting the credential? (I.e. with [this](https://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-userverification) parameter during registration and [this](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-userverification) one during assertion.)

If you're doing everything right, it's still possible that the fingerprint sensor on the authenticator is just bad and is producing a false positive result for the wrong fingerprint.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1444#issuecomment-647028148 using your GitHub account

Received on Saturday, 20 June 2020 18:07:03 UTC