Either UV or UP should be enough #1037
Comments
|
I thought that UP was required to prevent silent authentications from being solicited via webauthn. |
Depends on what you mean by "UP". They don't have a "button" dedicated to user presence, but their operation (tapping a NFC smart card to a reader, inserting a buttonless USB authenticator) does actually prove to a relying party that the user is present. |
I agree, but it's debatable whether a USB device left plugged in for an extended time (perhaps with a PIN cached for the session) should still be regarded as guaranteeing user presence. |
|
@sbweeden UP or UV. If UV set to false, UP is request. V.V. |
|
The table explaining UP/UV combinations at the end of https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#authenticatorGetAssertion (right before https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#authenticatorGetNextAssertion) may be helpful in considering this issue. It says:
|
|
@herrjemand At this point i'm not sure anything needs to be done here |
|
@nadalin The question is whether the guidance in the webauthn spec (that UP must ALWAYS be set in authenticate responses from the authenticator) is correct? At the very least we need to make that determination. |
|
At this moment, we don't allow silent authentication and every response has UP set. There is no scenario where UV is set and UP is not set. "Smart Card" scenario doesn't exist right now as platform has to look for user interaction before doing anything. So no change is required right now. |
|
@herrjemand Discussed on call and closing no action |
The step 12 mandating in section 7.2 mandating UP:
Some of the authenticators, such as smart cards, don't have UP. So in this case UV should be enough.
The text was updated successfully, but these errors were encountered: