Re: [webauthn] Refer to options for the user verification check (#1718) from Firstyear via GitHub on 2022-06-01 (public-webauthn@w3.org from June 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Jun 2022 23:22:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1144240072-1654125740-sysbot+gh@w3.org>

I think you mis-understand the issue, and the fact that there are literally CVE's that exist because of this defect. It has affected Azure AD, Okta, nextcloud and more. UV preferred is misleading because RP's do not validate it when requested, and RP's *believe* that it is required.

There is a blindingly obvious gap in this specification for "what happens when I ask for UV preferred" during registration and authentication. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1718#issuecomment-1144240072 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 1 June 2022 23:22:23 UTC