- From: Arian van Putten via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 May 2025 07:25:30 +0000
- To: public-webauthn@w3.org
Like. This flow would only be smooth if I set `uvInitialized = true` immediately during registration regardless of the fact that registration returned `UV = false` but this seems like a security hole. As it allows for the scenario you describe where Bob can set a PIN on Alice's key I just don't understand how the UX of conditional create as described in the explainer and in for example https://developer.chrome.com/docs/identity/webauthn-conditional-create should work with these constraints in mind The chrome blog post only says the following: > The registration response returns both "User Presence" and "User Verified" as false, so [the server should ignore these flags during credential verification](https://developers.google.com/identity/passkeys/developer-guides/server-registration#appendix_verification_of_the_registration_response). Which doesn't really help . What does ignore mean? That I just set `uvInitialized` to true unconditionally ? But how do I then avoid Bob taking Alice's key and setting a PIN that Alice doesn't know and then sign in to Alice's account? -- GitHub Notification of comment by arianvp Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2295#issuecomment-2882833544 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 15 May 2025 07:25:31 UTC