- From: Tim Cappalli via GitHub <noreply@w3.org>
- Date: Thu, 14 Aug 2025 17:53:06 +0000
- To: public-webauthn@w3.org
> Is user verification discouraged intended to be used for relying parties to signal a preference for less user interaction? It is used by RPs to signal that no activation secret is needed for the authenticator (e.g. in cases where you are just doing step up). User interaction is always required when using a passkey. > Does user verification provide a certain backstop of privacy protection for users to be sure they know what they're authenticating and to whom? No, it does not. The UV preference is signaled by RPs based on their policy and the context for a given flow. > The spec might make that explicit, or note that UAs have the unaffected obligation to explain the operation to users even if the RP doesn't prefer that a user verification step is completed. I'm not really sure what this means. The spec requires user presence when using a passkey. UV is an optional, additional check on top of that, and the spec is clear about that. -- GitHub Notification of comment by timcappalli Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2323#issuecomment-3189377593 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 14 August 2025 17:53:07 UTC