This PR makes SimpleWebAuthn more opinionated about default functionality, and the use case it promotes. In this case the defaults will steer RP's towards implementing passwordless authentication thusly:
Explicitly mark user verification as "preferred" in registration and authentication options (WebAuthn defaults to this value when userVerification is missing in options)
Require a discoverable credential be created in registration options
Require user verification having taken place (i.e. uv:true) during registration and authentication response verification
These changes were inspired by recent doc updates made to passkeys.dev on how RP's should mark user verification "preferred", but leaves it up to RP's to figure out if UV should be required or not in response validation:
The user verification result (conveyed in authenticator data flags) will reflect the actual user verification result and should always be validated against your requirements on the server.
I'm deciding to make RP's require that user verification is marked true in the response to ensure a reliable passwordless experience.
THIS IS A BREAKING CHANGE!
RP's that do not require support for discoverable credentials from authenticators will need to update their calls to generateRegistrationOptions() accordingly:
Additionally, RP's implementing a second-factor flow with WebAuthn, where UV is not important (because username+password are provided before WebAuthn is leveraged for the second factor), should not require user verification when verifying responses:
This PR makes SimpleWebAuthn more opinionated about default functionality, and the use case it promotes. In this case the defaults will steer RP's towards implementing passwordless authentication thusly:
"preferred"in registration and authentication options (WebAuthn defaults to this value whenuserVerificationis missing in options)uv:true) during registration and authentication response verificationThese changes were inspired by recent doc updates made to passkeys.dev on how RP's should mark user verification
"preferred", but leaves it up to RP's to figure out if UV should be required or not in response validation:I'm deciding to make RP's require that user verification is marked
truein the response to ensure a reliable passwordless experience.THIS IS A BREAKING CHANGE!
RP's that do not require support for discoverable credentials from authenticators will need to update their calls to
generateRegistrationOptions()accordingly:Before
After
Additionally, RP's implementing a second-factor flow with WebAuthn, where UV is not important (because username+password are provided before WebAuthn is leveraged for the second factor), should not require user verification when verifying responses:
verifyRegistrationResponse()Before
After
verifyAuthenticationResponse()Before
After