- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 24 Feb 2025 12:34:22 +0000
- To: public-webauthn@w3.org
> > In either case, can I be certain that:
> >
> > 1. this passkey will NOT successfully authenticate in a subsequent `get()` call, unless the same human user affirmatively presents the same biometric factor [...]
>
> Only if the registration response includes the authenticator extension output `{ credProtect: 3 }`
Oh, one more point of nuance here - this would guarantee that _some_ form of user verification was used, or in other words that "the authenticator verified that the user is a registered authorized user of the authenticator". For example, the user may (1) initially configure the authenticator with a PIN and register a credential with UV, then (2) later use the PIN to unlock the authenticator admin settings and register a fingerprint, then (3) use that fingerprint as UV in a later authentication ceremony, then (4) later still register a second fingerprint, then (5) use the second fingerprint as UV in a later authentication. The PIN, the first and the second fingerprint will all simply be reported as the flag `UV: 1` - all indicate "an authorized user of the authenticator", but what that authentication factor is may change over time. So there is no guarantee that "the same human user affirmatively presents the same biometric factor", only that "some _authorized_ human presents _some authentication factor authorized at the time_".
To distinguish individual authentication factors, see the [`uvi` extension](https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-uvi-extension) which as far as I know is not currently nor planned to be supported by any platform.
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2678289329 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 February 2025 12:34:23 UTC