Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

@Firstyear I have a draft ready, but I haven't yet opened a pull request because it builds on PR #1746 and a few more larger restructurings which I'd like to have reviewed on their own first. But you can take a look on the [branch in my fork](https://github.com/w3c/webauthn/compare/editorial-fixes...emlun:webauthn:wip/uv-guidance?expand=1) if you're curious. There's no preview and diff automatically available, but you can build the spec yourself (see the README) if you want to.

> CTAP2.0, which forces UV=1 under discouraged but then won't apply UV during authentication under discouraged. Is this why you mention that you have to trust-on-first-use the UV from authentication?

No, it's because UV=1 does not identify the user to the RP, it only tells the RP it's the _same_ user (PIN sharing etc. notwithstanding) as the last time UV=1 was seen on that credential. So UV=1 does not suffice as a second factor if UV=1 has never been seen with that credential before, because there's no guarantee that it's the same user operating the authenticator as before.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-1168733598 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 28 June 2022 13:34:45 UTC