- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Mon, 27 Jun 2022 22:47:11 +0000
- To: public-webauthn@w3.org
> For example, that UV=1 can't be relied on for MFA the first time you see UV=1 with a given credential, only from the second time forward. The [ยง7 RP operations](https://w3c.github.io/webauthn/#sctn-rp-operations) would refer to this new section in the UV validation step. To address this specifically, I think this actually is a reflection of an issue with CTAP2.0, which forces UV=1 under discouraged but then won't apply UV during authentication under discouraged. Is this why you mention that you have to trust-on-first-use the UV from authentication? There is a different approach that is cleaner, which is that if the RP stores the UV policy that was requested during registration, you can use that along with the state of UV=1 from authentication to make a decision. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-1168003975 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 June 2022 22:47:13 UTC