W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 28 Jun 2022 13:34:43 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1168733598-1656423281-sysbot+gh@w3.org>
@Firstyear I have a draft ready, but I haven't yet opened a pull request because it builds on PR #1746 and a few more larger restructurings which I'd like to have reviewed on their own first. But you can take a look on the [branch in my fork](https://github.com/w3c/webauthn/compare/editorial-fixes...emlun:webauthn:wip/uv-guidance?expand=1) if you're curious. There's no preview and diff automatically available, but you can build the spec yourself (see the README) if you want to.

> CTAP2.0, which forces UV=1 under discouraged but then won't apply UV during authentication under discouraged. Is this why you mention that you have to trust-on-first-use the UV from authentication?

No, it's because UV=1 does not identify the user to the RP, it only tells the RP it's the _same_ user (PIN sharing etc. notwithstanding) as the last time UV=1 was seen on that credential. So UV=1 does not suffice as a second factor if UV=1 has never been seen with that credential before, because there's no guarantee that it's the same user operating the authenticator as before.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-1168733598 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 28 June 2022 13:34:45 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC