Skip to content

The user-verification default of “preferred” is catching most sites out. #1253

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
The user-verification default of “preferred” is catching most sites out.#1253
Labels
stat:Discussstat:pr-opentype:technical
Milestone
 
L2-WD-02
@agl

Description

@agl
agl
opened on Jul 4, 2019

With the launch of PIN support in Chrome 75, we received a bug report that Chrome was now asking for a PIN when logging into Google. It turns out that our server-side team had missed that the default value for userVerification was “preferred” and weren't setting a value. The user in question was unaware that their authenticator had a PIN set, but it did and thus we were asking for it.

Dropbox and Twitter also have no value set for userVerification and that appears to be the same error. (Indeed, it's unclear to me what site would want the behaviour of “preferred”.)

Given that this is catching everyone out, and that setting the default to “discouraged” is backwards compatible, perhaps we should do that.

Activity

emlun

emlun commented on Jul 4, 2019

@emlun
emlun
on Jul 4, 2019
Member

For background, the previous discussion about the default is around here.

emlun
added
type:technical
stat:Discuss
on Jul 4, 2019
equalsJeffH
added this to the L2-WD-02 milestone on Jul 11, 2019
equalsJeffH

equalsJeffH commented on Jul 13, 2019

@equalsJeffH
equalsJeffH
on Jul 13, 2019
Contributor

See also: https://chromium.googlesource.com/chromium/src/+/master/content/browser/webauth/uv_preferred.md

Note this observation therein: There is not currently a way in WebAuthn to express that a site would like user verification if it's low-cost for the user so that later reauthentication may use WebAuthn rather than a password.

...that may merit it's own (related) issue.

equalsJeffH
mentioned this on Jul 13, 2019
equalsJeffH
added
stat:pr-open
on Jul 17, 2019
agl

agl commented on Jul 18, 2019

@agl
agl
on Jul 18, 2019
ContributorAuthor

From the call of 2019-07-17: this was discussed and it was decided to close this issue. @equalsJeffH opened #1259 to make the suggestion concrete and Akshay has replied there. There was also concern that changing the default would make things even more complex for RPs as different browsers might have different values as the default for some time.

We have changed Chrome so that, with Chrome 77, any WebAuthn call that doesn't set an explicit value for userVerification will trigger a warning in the Javascript console pointing to this page. This can be silenced by specifying any explicit value. We hope this to point RPs towards considering whether preferred is their desired behaviour.

agl
closed this as completedon Jul 18, 2019
emlun
mentioned this on Jun 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    stat:Discussstat:pr-opentype:technical

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    Participants

    @agl@equalsJeffH@emlun

    Issue actions
      The user-verification default of “preferred” is catching most sites out. · Issue #1253 · w3c/webauthn