Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510) from Emil Lundberg via GitHub on 2020-11-04 (public-webauthn@w3.org from November 2020)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 04 Nov 2020 20:38:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-721962468-1604522298-sysbot+gh@w3.org>

I'll echo Shane's initial point: the user verification requirement is a property of the _ceremony_, not of a credential. For example, one might allow both UV and a conventional password as the second factor for initial sign-in, but require hardware UV for signing a legal document. Specifying separate UV requirements per credential is moot, then, because any response without UV would be rejected anyway.

As for the different login scenarios: for username-less logins you by definition cannot specify per-credential UV requirement. "Username-ful" (I guess would be the term?) logins would usually prompt for a password first anyway, and if not, you can still use `uv: "preferred"` and prompt for the password afterwards if the response comes back with UV=0.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-721962468 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 4 November 2020 20:38:21 UTC