[webauthn] Clarification needed: Is "user verification is required" the same as the `userVerification` option being set to `required` (#1699) from Silvan Mosberger via GitHub on 2022-02-14 (public-webauthn@w3.org from February 2022)

From: Silvan Mosberger via GitHub <sysbot+gh@w3.org>
Date: Mon, 14 Feb 2022 15:04:43 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1137433799-1644851081-sysbot+gh@w3.org>

Infinisil has just created a new issue for https://github.com/w3c/webauthn:

== Clarification needed: Is "user verification is required" the same as the `userVerification` option being set to `required` ==
Step 15 of [Registering a new Credential](https://www.w3.org/TR/webauthn-2/#sctn-registering-a-new-credential) mentions

> 15. If [user verification](https://www.w3.org/TR/webauthn-2/#user-verification) is required for this registration, verify that the [User Verified](https://www.w3.org/TR/webauthn-2/#concept-user-verified) bit of the [flags](https://www.w3.org/TR/webauthn-2/#flags) in authData is set.

Should maybe be changed to this instead

> 15. If options.[authenticatorSelection](https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-authenticatorselection).[userVerification](https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-userverification) is set to [required](https://www.w3.org/TR/webauthn-2/#dom-userverificationrequirement-required), verify that the [User Verified](https://www.w3.org/TR/webauthn-2/#concept-user-verified) bit of the [flags](https://www.w3.org/TR/webauthn-2/#flags) in authData is set.

---

Similarly with step 17 of [Verifying an Authentication Assertion](https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion):

> 17. If [user verification](https://www.w3.org/TR/webauthn-2/#user-verification) is required for this assertion, verify that the [User Verified](https://www.w3.org/TR/webauthn-2/#concept-user-verified) bit of the [flags](https://www.w3.org/TR/webauthn-2/#flags) in authData is set.

should maybe be this instead:

> 17. If options.[userVerification](https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-userverification) is set to [required](https://www.w3.org/TR/webauthn-2/#dom-userverificationrequirement-required), verify that the [User Verified](https://www.w3.org/TR/webauthn-2/#concept-user-verified) bit of the [flags](https://www.w3.org/TR/webauthn-2/#flags) in authData is set.

--- 

And if that shouldn't be done, how is "user verification is required" different from the respective `userVerification` being set to `required`?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1699 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 14 February 2022 15:04:45 UTC