W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Refer to options for the user verification check (#1718)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Jun 2022 23:22:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1144240072-1654125740-sysbot+gh@w3.org>
I think you mis-understand the issue, and the fact that there are literally CVE's that exist because of this defect. It has affected Azure AD, Okta, nextcloud and more. UV preferred is misleading because RP's do not validate it when requested, and RP's *believe* that it is required.

There is a blindingly obvious gap in this specification for "what happens when I ask for UV preferred" during registration and authentication. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1718#issuecomment-1144240072 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 1 June 2022 23:22:23 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC