W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Tue, 14 Jun 2022 04:15:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1154689853-1655180139-sysbot+gh@w3.org>
> I've changed my mind on this, I think we should give better guidance on how to use `userVerification: "preferred"`. In particular that if a credential has at some point been used with `UV=1`, then when `userVerification: "preferred"` the RP SHOULD verify that `UV=1` in that response. I maintain that UV is primarily a property of the ceremony, but not _only_ of the ceremony in the case of `userVerification: "preferred"`. 

I think the important distinction here is that while it may be a property of the ceremony, the RP needs to *capture* that UV state from registration to know when and if they are able to validate that property during any subsequent ceremony.

So I'm extremely happy to see this post, and this change in approach! Thank you! 🎉

GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-1154689853 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 14 June 2022 04:15:42 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC