- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Sun, 05 Nov 2023 02:50:34 +0000
- To: public-webauthn@w3.org
@CyberCtzn We have already noted this issue in https://github.com/kanidm/webauthn-rs/issues/281 and have had to move to uv=required everywhere to work around this. It affects safari as well as chrome. The issue is that any correctly and securely implemented RP that uses uv=preferred and follows https://w3c.github.io/webauthn/#reg-ceremony-store-credential-record and https://w3c.github.io/webauthn/#abstract-opdef-credential-record-uvinitialized can very reasonably track and enforce that UV should always be provided by the credential in question. This behaviour of safari and chrome undermines that, and means that UV is trivially by-passable - especially bad as some RP's don't track and correctly enforce UV across ceremonies. A user very reasonably would expect that touch id is required here, and the fact it goes away really is surprising. Generally today the only secure uv setting is UV=required, and to always register with credProtect if possible. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1993#issuecomment-1793616210 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 5 November 2023 02:50:36 UTC