- From: John Bradley via GitHub <noreply@w3.org>
- Date: Thu, 09 Oct 2025 01:34:52 +0000
- To: public-webauthn@w3.org
FIdo CTAP always provides different HMAC outputs for UV vs non UV. That is one of the conformance tests for certified authenticators. Web Authn says that: This extension only exposes a single PRF per credential and, when implementing on top of hmac-secret, that PRF MUST be the one used for when [user verification](https://www.w3.org/TR/webauthn-3/#user-verification) is performed. This overrides the [UserVerificationRequirement](https://www.w3.org/TR/webauthn-3/#enumdef-userverificationrequirement) if neccessary. This extension may be implemented for [authenticators](https://www.w3.org/TR/webauthn-3/#authenticator) that do not use [[FIDO-CTAP]](https://www.w3.org/TR/webauthn-3/#biblio-fido-ctap) so long as the behavior observed by a [Relying Party](https://www.w3.org/TR/webauthn-3/#relying-party) is identical. So I think it is clear that a platform authenticator implementing PRF with or without HMAC Secret must always require UV if it is returning PRF. Given that identical would include UV true in the response. Anything else would be a violation of the spec. Can you explain what is unclear? -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2337#issuecomment-3383741032 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 9 October 2025 01:34:53 UTC