- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Tue, 10 May 2022 19:19:44 +0000
- To: public-webauthn@w3.org
In practice, the three platform authenticators only support credential release via UV if the RP requests it or not. However, from a specification point of view, those are just current implementation choices. Unless we say explicitly that multi-device credentials need to be protected with some form of user verification, then we need to remind RP that a credential might always be returned without UV even if it was created with UV. That is also the case now as the UV flag can be tampered with in the request. Chrome and Windows will prompt a user to add a pin for roaming authenticators if you send UV required in the request. One possibility is requiring authenticators to register a UV method if UV=required in the request and none is configured. Though that is typically an implementation detail and not in the spec. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1695#issuecomment-1122772844 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 10 May 2022 19:19:46 UTC