Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

I've changed my mind on this, I think we should give better guidance on how to use `userVerification: "preferred"`. In particular that if a credential has at some point been used with `UV=1`, then when `userVerification: "preferred"` the RP SHOULD verify that `UV=1` in that response. I maintain that UV is primarily a property of the ceremony, but not _only_ of the ceremony in the case of `userVerification: "preferred"`. Our position has been that RPs should know to enforce `UV=1` if they're claiming to do MFA but not prompting for a password, but we could be more explicit about the `"preferred"` case. As @Firstyear has correctly pointed out many times, users expect that when they are prompted for UV it is also enforced on the server. Even if a password has also been checked and UV is not strictly necessary, we should instruct RPs to enforce the flag in this case where it's likely that UV ended up performed anyway.

I have some ideas for a new section named something like "When and how to validate User Verification", covering the above and some more of the nuance around this. For example, that `UV=1` can't be relied on for MFA the _first_ time you see `UV=1` with a given credential, only from the _second_ time forward. The [ยง7 RP operations]( would refer to this new section in the UV validation step.

This also ties into #1556 - sorry for leaving that hanging, looks like it was buried under other discussions and forgotten.

#1571 is also related, the description of the `"preferred"` value can be relaxed a bit to capture the notion that the RP might conditionally enforce UV depending on the credential used.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 9 June 2022 20:17:08 UTC