Re: [webauthn] Conditional creation incompatible with `uvInitialized` semantics in Chapter 7? (#2295) from philomathic_life via GitHub on 2025-07-11 (public-webauthn@w3.org from July 2025)

From: philomathic_life via GitHub <noreply@w3.org>
Date: Fri, 11 Jul 2025 17:40:44 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3063187414-1752255642-noreply@w3.org>

> The chrome blog post only says the following:
> 
> > The registration response returns both "User Presence" and "User Verified" as false, so [the server should ignore these flags during credential verification](https://developers.google.com/identity/passkeys/developer-guides/server-registration#appendix_verification_of_the_registration_response).

That blog post is not entirely correct. For example, when I use Google Password Manager + Chrome on a Samsung Galaxy S24 running Android 15, user verification _is_ enforced and the UV bit is 1 even if the RP passes `"discouraged"` for user verification; furthermore the server is not allowed to "ignore" the UV bit per the [registration ceremony criteria](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential):

> 16. If the Relying Party requires user verification for this registration, verify that the UV bit of the `flags` in _authData_ is set.

In contrast, the server _is_ allowed (and in fact required) to ignore the UP bit when `conditional` mediation is used:

> 15. If _options_.[`mediation`](https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-mediation) is not set to [`conditional`](https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional), verify that the [UP](https://w3c.github.io/webauthn/#authdata-flags-up) bit of the [`flags`](https://w3c.github.io/webauthn/#authdata-flags) in _authData_ is set.

Unfortunately as stated [above](https://github.com/w3c/webauthn/issues/2295#issuecomment-3059473472), the way Safari + Passwords on iPhones implement conditional mediation is wrong since it neither errors nor enforces user verification (i.e., the UV bit _is_ 0) when user verification is required. I [raised a bug](https://developer.apple.com/forums/thread/792710) in hopes that is addressed.

-- 
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2295#issuecomment-3063187414 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 11 July 2025 17:40:45 UTC