If I'm understanding your question correctly, you are registering a credential using a fingerprint but finding that someone else, whose fingerprint is not enrolled, can also pass the fingerprint check? If so, can you say what authenticator you're using? I.e. is it a physical token plugged into a USB, Touch ID on macOS, or something else? Secondly, are you requesting [user verification](https://w3c.github.io/webauthn/#user-verification) when registering and asserting the credential? (I.e. with [this](https://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-userverification) parameter during registration and [this](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-userverification) one during assertion.) If you're doing everything right, it's still possible that the fingerprint sensor on the authenticator is just bad and is producing a false positive result for the wrong fingerprint. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1444#issuecomment-647028148 using your GitHub accountReceived on Saturday, 20 June 2020 18:07:03 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:41 UTC