- From: Emil Lundberg via GitHub <noreply@w3.org>
- Date: Wed, 18 Jun 2025 19:24:51 +0000
- To: public-webauthn@w3.org
@ve7jtb made an acute observation here: the primary use case for conditional registration is to seamlessly upgrade users that currently have just a password as the sole authentication factor. In that case, since the transition is authorized based on a single-factor authentication, then the resulting WebAuthn credential will also implicitly be equivalent to a single authentication factor, even if it happens to have the UV flag set. So the description of [`uvInitialized`](https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#abstract-opdef-credential-record-uvinitialized): >When this is `false`, including an [authentication ceremony](https://w3c.github.io/webauthn/#authentication-ceremony) where it would be updated to `true`, the [UV](https://w3c.github.io/webauthn/#authdata-flags-uv) [flag](https://w3c.github.io/webauthn/#authdata-flags) MUST NOT be relied upon as an [authentication factor](https://pages.nist.gov/800-63-3/sp800-63-3.html#af). doesn't contradict this use case if the RP isn't relying on UV as an authentication factor. Only if it wants to begin relying on UV as a second authentication factor, _then_ it SHOULD base the authorization of that transition on some other equivalent second factor if one is available for the user account. If the account has only a single authentication factor set up (e.g., only a password, or only one WebAuthn credential), then of course you can't do that, in which case it's fine to trust the initial observation of `UV=1` as the initialization of a second authentication factor for the account. Just like if you have only a password set, then the initial setup of an OTP is also trusted-on-first-use as the initialization of 2FA for the account. So from that perspective there's no contradiction, since you start with single-factor and end with a different single-factor, and the 2FA recommendation in the `uvInitialized` description only applies when you want to go from single-factor to two-factor. Does that make sense? The counterargument to this would be in the case that the user account _is_ already set up with 2FA - for example a password and OTP - and both were used just before a conditional registration was made. In that case yes, you'd get `UV=0` in that conditional registration and the first `UV=1` assertion with that credential SHOULD still be considered single-factor until authorized as 2FA by one of the other authentication factors. This is unfortunate but likely to be a fairly rare situation. We'll leave conditional registration with `UV=0` for L3, but may consider adjusting to allow conditional registration with `UV=1` for L4. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2295#issuecomment-2985450529 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 18 June 2025 19:24:52 UTC