w3c
user verification discouraged should consider privacy impact or UA advice
Is user verification discouraged intended to be used for relying parties to signal a preference for less user interaction? Does user verification provide a certain backstop of privacy protection for users to be sure they know what they're authenticating and to whom?
My understanding (thanks @timcappalli) is that this doesn't enable the abuse of silent info gathering. The spec might make that explicit, or note that UAs have the unaffected obligation to explain the operation to users even if the RP doesn't prefer that a user verification step is completed.
Is user verification discouraged intended to be used for relying parties to signal a preference for less user interaction?
It is used by RPs to signal that no activation secret is needed for the authenticator (e.g. in cases where you are just doing step up). User interaction is always required when using a passkey.
Does user verification provide a certain backstop of privacy protection for users to be sure they know what they're authenticating and to whom?
No, it does not. The UV preference is signaled by RPs based on their policy and the context for a given flow.
The spec might make that explicit, or note that UAs have the unaffected obligation to explain the operation to users even if the RP doesn't prefer that a user verification step is completed.
I'm not really sure what this means. The spec requires user presence when using a passkey. UV is an optional, additional check on top of that, and the spec is clear about that.
@npdoty did the previous response sufficiently answer your questions about user verification?