- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 24 Feb 2025 09:52:30 +0000
- To: public-webauthn@w3.org
> In either case, can I be certain that:
>
> 1. this passkey will NOT successfully authenticate in a subsequent `get()` call, unless the same human user affirmatively presents the same biometric factor [...]
Only if the registration response includes the authenticator extension output `{ credProtect: 3 }` (note that this output will be [in the authenticator data](https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#authdata-extensions), not in the [client extension outputs](https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#dom-publickeycredential-getclientextensionresults)). If it does not, then there is no requirement that authentications with this credential must use UV even if the registration required UV - the `userVerification` parameter is set _per ceremony_, not per credential (this is a common point of confusion).
But in all cases, the [UV flag](https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#authdata-flags-uv) in any authentication response should reflect whether UV was used for that authentication. If you want to require UV, then you should verify that this flag is set. Of course this also assumes that the authenticator is honest about setting that flag - for high assurance use cases you might also need [authenticator attestation](https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#sctn-attestation) in order to evaluate whether the authenticator is trustworthy in reporting attributes like the UV flag.
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2677904893 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 February 2025 09:52:31 UTC