W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2020

Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Nov 2020 14:05:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-724722797-1605017123-sysbot+gh@w3.org>
CTAP2.1 allows enforcement of PIN policy per credential via CredProtect.

There is also a new alwaysUV setting that authenticators can support to always require uv for all credentials.

You can use credprotect now, but the RP needs to not send uv discouraged or the credential won't work.  

I think there may be some confusion with people thinking that credprotect only applies to discoverable credentials, it applies to both that is why there is a level 3 required.




-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-724722797 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 10 November 2020 14:05:25 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 10 November 2020 14:05:26 UTC