Re: [webauthn] Remove the UVM extension from WebAuthn L3 (potentially) (#2069) from John Bradley via GitHub on 2024-05-09 (public-webauthn@w3.org from May 2024)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Thu, 09 May 2024 23:33:48 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2103603965-1715297626-sysbot+gh@w3.org>

UVM has never been supported by browsers.  It has the potential to have users authenticate and then have those authentications rejected by the RP with a message like "fingerprint not supported please try again using your pin."

For security keys the AAGUID will tell the RP what activation methods are supported.  For phones in most cases the authenticator is using screen unlock and may not know what method is used.  

RP wanting to know more about the authenticator seems reasonable for high security use cases, I just don't think UVM provides much help. 

Then we run into the question of if there are enough implementations. I think it was included in L1 based on there being UAF implementations. Now I think the bar clearly needs to be WebAuthn implementations.      



-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2069#issuecomment-2103603965 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 9 May 2024 23:33:49 UTC