Re: [webauthn] Can we document protections (if any) around userHandle (with user-verification)? (#2266) from Tim Cappalli via GitHub on 2025-02-24 (public-webauthn@w3.org from February 2025)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Feb 2025 08:55:43 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2677773462-1740387340-sysbot+gh@w3.org>

Most passkey providers / platform authenticators do not support credProtect. It was originally designed for security keys to ensure it couldn't be picked up off the ground and used without some form of verification (but there is nothing stopping a passkey provider / platform authenticator from implementing it).


> unless the same human user affirmatively presents the same biometric factor -- ie, that it wasn't some silent passkey return -- even if...?

FIDO2/WebAuthn makes no guarantee that UV represents the same user / same biometric template as creation. 

See https://www.w3.org/TR/webauthn-3/#user-verification

> If the above are fully true, isn't it accurate to say that this userHandle does not come back without UV??

You should always get the user handle for a passkey during an authentication ceremony. UV does not influence this.

-- 
GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2677773462 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 24 February 2025 08:55:44 UTC