- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Sun, 05 Nov 2023 16:28:41 +0000
- To: public-webauthn@w3.org
This is indeed the `"preferred"` user verification option behaving as expected. Preferring user verification allows RP's to optimize the authentication user experience by signaling that browsers and passkeys providers can avoid situations in which a user might get prompted for a password. Case in point: a typical user on a Mac Mini, without any kind of biometric sensor available, might wonder why they're constantly being prompted for their local login password when using a passkey for "passwordless auth". This stands to hurt passkey adoption as the use of a password, even a local-only one, can be confusing. I'd also suggest that with the authentication bar being raised so much higher with passkeys, maybe it's okay for user verification to sometimes be false. The ceremony still benefits from the phishing-resistant aspects of WebAuthn auth, and the majority of platforms and roaming authenticators will actually perform UV. Couldn't RP's factor in the additional MFA barriers that platform authenticator passkey providers have implemented to be okay with sometimes getting `uv:false` from ceremonies they participate in? 🤔 That said the power is in the RP's hands to avoid the ambiguity of a "preferred" ceremony if the RP doesn't like it. Mark UV "required" in options and check the auth data `uv` flag in the response - you'll more reliably get back `uv:true` as desired. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1993#issuecomment-1793783314 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 5 November 2023 16:28:43 UTC