Re: [webauthn] Same PRF regardless of UV? (#2337) from Nina Satragno via GitHub on 2025-10-14 (public-webauthn@w3.org from October 2025)

From: Nina Satragno via GitHub <noreply@w3.org>
Date: Tue, 14 Oct 2025 17:42:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3402965957-1760463740-noreply@w3.org>

> dont platform passkeys like Google or apple implicitly always use UV regardless of the request?

No. For example, if you don't have a fingerprint reader and a request is UV=discouraged (or preferred), Google Password Manager won't request UV.

> a platform authenticator implementing PRF with or without HMAC Secret must always require UV if it is returning PRF.

I think I agree with this. GPM doesn't have this restriction, which feels like a bug. I filed https://crbug.com/451833359 to track that.

That said, I don't think this is a spec issue.

-- 
GitHub Notification of comment by nsatragno
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2337#issuecomment-3402965957 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 14 October 2025 17:42:23 UTC