-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reflect caching of user verification in WebAuthn assertion #2023
Comments
I'm not sure this is needed? If you have attestation then you'll know what the credential model is and will allow or disallow UP/UV caching. I can't really see a case where a deployment would want this because they either don't do attestation, so credentials are a free-for-all, or they do do attestation and they have strict policy about what credentials are or are not accepted and the properties of those devices. |
The current passkey provider requirements explicitly disallow UV caching. |
I'm sure that it will then shock you to learn about passkey providers that set UV=true when they do not infact re-validate the user. They already do UV caching. Ergo my point still stands - if you care about UV being a strong assertion, you need to attest credentials. |
True from an enforcement-of-policy perspective but understand the point of efforts like this is to make it easier and less of a penalty for passkey providers to tell the truth. |
Theres no penalty for them to lie either. Who's checking and regulating any of this? |
No one now but it could become a factor in receiving e.g. FIDO certification. |
It will most likely be a factor for certification and while we at 1Password will eventually become conformant regardless, that would probably be the fastest driver for us and other credential providers. |
Proposed Change
Some pluggable passkey providers, do not request a fresh user verification for each call to getAssertion.
This is a deviation from the traditional behavior and might surprise relying parties that are using WebAuthn today with the respective default passkey providers.
We propose the following:
a) an ability for the RP to tell the passkey provider that caching of the user verification is allowed (up to a defined time, the maximum user verification caching time maxUVC)
b) an ability for the authenticator to reflect the caching of the user verification in the assertion.
See PR #2021
The text was updated successfully, but these errors were encountered: