webauthn-ruby icon indicating copy to clipboard operation
webauthn-ruby copied to clipboard

Published 20 hours ago verified publisher icon cedarcode

Update documentation to avoid PIN bypass

Open tcannonfodder opened this issue 2 years ago • 2 comments

This fixes #350, which pointed out a bug in certain browser/device combinations that allow bypassing the user's PIN if the user_verfication: true flag is not set.

https://hwsecurity.dev/2020/08/webauthn-pin-bypass/

tcannonfodder avatar Sep 20 '22 18:09 tcannonfodder

I feel like that in order to help with the migration to passkeys, the docs should setup so that user_verification is required throughout.

tcannonfodder avatar Sep 20 '22 18:09 tcannonfodder

Sorry for the delay. Will take a look ASAP

brauliomartinezlm avatar Oct 12 '22 22:10 brauliomartinezlm