- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Wed, 27 Mar 2024 19:29:24 +0000
- To: public-webauthn@w3.org
> > rather than the RP rejecting an assertion because all it could do was find out the time since last UV and then deciding it wasn't recent enough > > @sbweeden By requesting UV=preferred, you are stating that you will accept an assertion without user verification. > > If you will fail the login ceremony completely without UV, you should use UV=required. > > If you are OK with no UV, but need additional context for a risk engine (which may or may not ask for additional information), then you can use UV=preferred with this extension. This extension does not afford the opportunity for the client+authenticator to prompt for UV, as part of the ceremony, *only if* the time since last UV doesn't satisfy the RPs policy. That's the use case that #2021 covers, that this extension does not. -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2052#issuecomment-2023805327 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 27 March 2024 19:29:25 UTC