- From: John Bradley <jbradley@yubico.com>
- Date: Tue, 25 Feb 2025 09:08:31 -0300
- To: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Cc: public-webauthn@w3.org
- Message-ID: <CAEY7Pj8gtdTCPgiB7Htuwed3vutTWrco-6kc4uzVC-TTTy3oTg@mail.gmail.com>
There is no paring of credential to biometric factor in windows hello, android , macOS or iOS. For any given request with or without allow list any OS level device unlock will work for any credential. They all allow pin as an alternative if the biometric fails or is not available, eg unpluging the fingerprint reader or camera on windows. Most of them ignore the requested UV and always preform UV. That is allowed and is a setting in CTAP2.1 authenticators. MacOS will in cases where UV is prefered and the biometric sensor is not available skip UV if the user is logged into the account, and return UV:0. There are other pluggable platform authenticators now, from Dashlane, 1Password, Microsoft Authenticator, etc. Not all behave the same way. There is currently no certification for them. Some may be more creative about what counts as UV than others. The UV flag you get back in a get assertion response is correct if it is a certified authenticator based on attestation. The UV flag in a get assertion response is probably correct if you don’t have a trusted attestation for the authenticator. It is all better than a password. What the RP needs to enforce will depend on on the security requirements. In general I don’t know of any Fido platform authenticator that binds the biometric to the specific credential instance. Perhaps one of the third party ones might. It would be a mistake to assume that is the general behavior. Regards On Tue, Feb 25, 2025 at 8:26 AM Emil Lundberg via GitHub <sysbot+gh@w3.org> wrote: > > I don't know of any way to make that happen, but I am trying to find out > if that is possible in ways I am not aware of? > > Yes, CTAP2 security keys such as YubiKey 5 behave that way, because the > security key has no concept of separate users. So this: > > >HER credential (tied to her face) > > is inaccurate in that case. All credentials on the security key are "tied > to" ALL UV factors configured on the security key, and those UV factors may > change over time. > > -- > GitHub Notification of comment by emlun > Please view or discuss this issue at > https://github.com/w3c/webauthn/issues/2266#issuecomment-2681635220 using > your GitHub account > > > -- > Sent via github-notify-ml as configured in > https://github.com/w3c/github-notify-ml-config > >
Received on Tuesday, 25 February 2025 12:08:48 UTC