- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 28 Jun 2022 13:34:43 +0000
- To: public-webauthn@w3.org
@Firstyear I have a draft ready, but I haven't yet opened a pull request because it builds on PR #1746 and a few more larger restructurings which I'd like to have reviewed on their own first. But you can take a look on the [branch in my fork](https://github.com/w3c/webauthn/compare/editorial-fixes...emlun:webauthn:wip/uv-guidance?expand=1) if you're curious. There's no preview and diff automatically available, but you can build the spec yourself (see the README) if you want to. > CTAP2.0, which forces UV=1 under discouraged but then won't apply UV during authentication under discouraged. Is this why you mention that you have to trust-on-first-use the UV from authentication? No, it's because UV=1 does not identify the user to the RP, it only tells the RP it's the _same_ user (PIN sharing etc. notwithstanding) as the last time UV=1 was seen on that credential. So UV=1 does not suffice as a second factor if UV=1 has never been seen with that credential before, because there's no guarantee that it's the same user operating the authenticator as before. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-1168733598 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 28 June 2022 13:34:45 UTC