Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510) from John Bradley via GitHub on 2020-11-10 (public-webauthn@w3.org from November 2020)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Nov 2020 14:05:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-724722797-1605017123-sysbot+gh@w3.org>

CTAP2.1 allows enforcement of PIN policy per credential via CredProtect.

There is also a new alwaysUV setting that authenticators can support to always require uv for all credentials.

You can use credprotect now, but the RP needs to not send uv discouraged or the credential won't work.  

I think there may be some confusion with people thinking that credprotect only applies to discoverable credentials, it applies to both that is why there is a level 3 required.




-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-724722797 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 10 November 2020 14:05:25 UTC