python-fido2 icon indicating copy to clipboard operation
python-fido2 copied to clipboard
verified publisher icon Yubico

Allow when user_verification is preferred and PIN is not set

Open alexandrezia opened this issue 3 years ago • 1 comments

When user_verification is "preferred" and it's not configured in ubikey, allow authentication to proceed, As stated here: https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/User_Presence_vs_User_Verification.html

PREFERRED: This value indicates that the RP prefers user verification for the operation if possible, but will not fail the operation if the response does not have the AuthenticatorDataFlags.UV flag set.

alexandrezia avatar Jul 19 '22 14:07 alexandrezia

I believe the current behavior is correct: PREFERRED should be treated as REQUIRED when the Authenticator supports it (even if it isn't configured). This is in accordance with the behavior I am seeing in Windows and what I interpret from the CTAP 2 and WebAuthn specifications.

dainnilsson avatar Sep 21 '22 11:09 dainnilsson