Re: [webauthn] Same PRF regardless of UV? (#2337) from Isaiah Inuwa via GitHub on 2025-10-09 (public-webauthn@w3.org from October 2025)

From: Isaiah Inuwa via GitHub <noreply@w3.org>
Date: Thu, 09 Oct 2025 03:05:39 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3383884527-1759979137-noreply@w3.org>

> Backwards compat to what tho, there iirc has been no other backend to prf the first place, has there? And if platform authenticators had something, to my experience those were intrinsically alwaysuv anyway.

In that referenced thread, it seems that Google Password Manager gives the same PRF whether or not UV is provided. They said that they'd be willing to change given reason, but the text was input to reflect status quo.

I agree that non-CTAP authenticators should follow the same pattern as CTAP ones; to do otherwise is confusing for RPs and for authenticator developers.

For example, I initially understood from
> This overrides the [UserVerificationRequirement](https://www.w3.org/TR/webauthn-3/#enumdef-userverificationrequirement) if neccessary

to mean that WebAuthn PRF always requires UV, and that if `userVerification: discouraged` and `extensions.prf` is set, then the WebAuthn client would either:
- upgrade the request to `userVerification: required`,
- or drop the PRF extension from the request.

(Which one the client chooses is undefined behavior in the spec, but either seems fine to me.)

The draft text implies that WebAuthn PRF can be executed without UV and produce the same result, which is in conflict with:

> This extension may be implemented for [authenticators](https://www.w3.org/TR/webauthn-3/#authenticator) that do not use [[FIDO-CTAP]](https://www.w3.org/TR/webauthn-3/#biblio-fido-ctap) so long as the behavior observed by a [Relying Party](https://www.w3.org/TR/webauthn-3/#relying-party) is identical.

It'd be interesting to sample how these different clients/authenticators behave. I have a gut feeling that this wouldn't break too many deployed sites, since the primary PRF authenticator implementations are in CTAP keys, which would have produced UV-dependent PRF, and macOS/iOS in the last year. Password managers would be the wild card.

I think this is worth breaking some sites that have been relying on UV-independent PRFs, for the security implications raised in the main issue text.

-- 
GitHub Notification of comment by iinuwa
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2337#issuecomment-3383884527 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 9 October 2025 03:05:40 UTC