Re: [webauthn] Refer to options for the user verification check (#1718)

This was discussed on the call of 2022-05-04. We feel that the proposed wording is too precise and doesn't cover the range of possibilities of when an RP might want to check for user verification.

At assertion time the RP might set a userVerification of "preferred" and, only when they receive the assertion, learn who the user in question is. RP policies around when UV is required might reasonably be keyed on the identity of the user signing in and so ignoring the UV bit because userVerification wasn't "required" mightn't be correct.

Likewise, at registration time, the RP only learns the attestation of the authenticator once they have received the response. They they can plausibly ask for "preferred" userVerification and demand the UV based on the type of authenticator used. (I.e. if the authenticator supports UV and yet UV wasn't done, that's suspicious.)

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1718#issuecomment-1118899669 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 5 May 2022 18:13:20 UTC