Firstyear
Firstyear
It affects which credentials can be used in the registration ceremony IE on FF with U2F, a UVP of Required would not select the U2F tokens since this uses CTAP1....
residentKey doesn't provide uv=preferred though, that's unrelated. This is however as you say, about the password-less (the token provides the MFA capabilities) and the traditional token + pw scenario. And...
I think there is some confusion here. I'm proposing that there is a disconnect between peoples expectations and the word of the standard. I understand that today they are properties...
> There is no facility in WebAuthn to associate UV with a credential. And this is what I believe the issue in the standard is.
Okay, would it be viable to have this propose an extension to webauthn (irrespective of ctap version) that allows per-credential UV policy to be interpreted by the browser or client?
Just to clarify, what is it you believe is ambiguous and needs clarification here?
> I'm a bit confused though as to why credentials themselves should dictate their use, since the RP can decide to approve or deny the credentials as it sees fit....
The webauthn authentication challenge defines a verification policy for *all* possible credentials the user may use. This is incompatible with a scenario where you have verified credentials and unverified credentials....
No, it doesn't. See the attached screen shots. The following words are absent from both: "The values of userVerification, autenticatorAttachment, requireResidentKey, excludeCredentials, authenticatorTransport are not part of collected Client Data...
> I truly believe the fundamental issue here is not with the specification's semantics, but with false assumptions. Okay. In that case, please tell me how I can issue a...