- From: Kyle Simpson via GitHub <sysbot+gh@w3.org>
- Date: Mon, 24 Feb 2025 17:47:28 +0000
- To: public-webauthn@w3.org
> Does that help? Yes, this is definitely helping, thank you! > I wasn't aware that some authenticators register the biometric feature with an individual credential rather than the authenticator as a whole. I'm not necessarily asserting that is the case, to be clear. What I am claiming is, I don't know of any way of using these APIs which would let me UV with one credential but actually have the ceremony return me a different credential. I take your point that I might register multiple fingerprints or faces in my device unlock, and this set of biometric factors appears indistinguishably as one "credential factor" from the perspective of using these APIs... so yeah, I could have two different fingerprints I unlock my device with, and whichever one I choose to use in an assertion, I will get the same single credential back from `get()`. I also take the point that UV as a general concept is distinct from actually presenting your factor. Like, there could be an authenticator where I have a fingerprint and a PIN in the same authenticator, and I could be asked for one or the other. But as far as my testing is concerned, it sure seems like UV and "presenting my factor (fingerprint, face)" are the same. That is, the way these authenticators fulfill the UV is to ask me for my actual biometric factor, not to ask me for some other stand-in for my biometric factor. Further, what I'm saying is, if I have two different credentials (separate credential IDs), as created by `create()`, on the same authenticator (regardless of the same or totally different underlying biometric factors), I know of no way to ask for one of them, with UV required, and the UV the authenticator asks me for isn't inherently tied to which credential it will end up returning me. Scenario: if Bob has his fingerprint registered as credential A, and Alice has her face registered on the same authenticator as credential B, and both of them have been `create()` registered, and both received distinct credential IDs back. If Bob is using the device, and knows Alice's credential ID, can he ask the authenticator for HER credential (tied to her face), but when prompted for UV, actually Bob presents his fingerprint as UV, and that the result of this ceremony is that Alice's credential details came back? I don't know of any way to make that happen, but I am trying to find out if that is possible in ways I am not aware of? -- GitHub Notification of comment by getify Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2679218270 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 February 2025 17:47:29 UTC