Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

No, it doesn't. See the attached screen shots. The following words are absent from both: "The values of userVerification, autenticatorAttachment, requireResidentKey, excludeCredentials, authenticatorTransport are not part of collected Client Data Json or authData, and are hints to the attached browser".

For example, even in: https://www.w3.org/TR/webauthn/#enum-residentKeyRequirement

This uses the words " the Relying Party's requirements". This language strongly encourages an implementor to believe this is a requirement that is enforced in the specification and can be relied on. Similar language exists through out the document in many areas that are not requirements. There is no indication in these parameters that they are *hints* and may be altered or tampered with, leading to a false sense of security. 

And similar https://www.w3.org/TR/webauthn/#sctn-registering-a-new-credential does NOT recommend the storage of the uv bit from the authenticator in step 23. It is only checked in 15.

My points continue to stand that Webauthn is unable to express in an authentication ceremony a user verification policy with mixed credential types (verified and unverified).

![Screen Shot 2021-01-21 at 14 20 45](https://user-images.githubusercontent.com/271005/105279734-f1fcf700-5bf3-11eb-8a0c-54874b005dae.png)
![Screen Shot 2021-01-21 at 14 20 52](https://user-images.githubusercontent.com/271005/105279730-ef9a9d00-5bf3-11eb-9e36-f84351d75635.png)


-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-764268400 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 21 January 2021 05:04:19 UTC