Re: [webauthn] PRF extension. (#1424)

User verification choice is important in hmac-secret extension. I think it needs more clarification regarding implications of it.

If an RP uses this extension with UV Discouraged for now and then in future tries to go with UV Required, that transition is tricky. First they have to call webauthn get() using UV discouraged, decrypt their state, then call another webauthn get() call with UV required so that they can encrypt it properly. 

RPs should not do UV Preferred as that is dependent on authenticator. 

Probably, It's better that RPs make up their mind regarding UV before using it. If they always want to remain one way all the time, no issues. 

If use cases are with UV required only, may be it is easiest to have this extension applicable only to UVRequired case? 

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1424#issuecomment-635207880 using your GitHub account

Received on Thursday, 28 May 2020 08:47:25 UTC