W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

[webauthn] Issue with user_verification=preferred (#1571)

From: p0w1 via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 Feb 2021 14:13:01 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-810220461-1613571180-sysbot+gh@w3.org>
p0w1 has just created a new issue for https://github.com/w3c/webauthn:

== Issue with user_verification=preferred ==
If `user_verification=preferred` (default) is set, the current specification says "... will not fail the operation if the response does not have the UV flag set."
This is a security issue under certain conditions and it is not the behavior a user would expect. If you want to use "preferred" in order to accept tokens/browsers which do not support user_verification it is Ok. However if a user registers with the UV flag set, he should be forced to use UV for every future authentication attempt. Otherwise the "preferred" option does not make any sense because an attacker could always authenticate without UV.

The specification should be updated so that the UV-flag verification depends if the user used it during the registration or not.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1571 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 17 February 2021 14:13:03 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 17 February 2021 14:13:04 UTC