How to limit the number of available factors

[igorlogvin]

Hello again @emlun ! I tried read this section.

I need to limit the number of factors to identify a user through webauth. I need to exclude pin code input from authentication. That is, for example, on an iPhone, if a face reads it incorrectly several times, then it is proposed to enter a pin code. So I need to somehow exclude this operation and leave only face or touch ID.

Can u please explain me how?

[emlun]

Hi! That is not possible, and there's nothing this library can do about it.

In theory you might be able to use the uvm extension to find out after the fact which user verification method was used - but only if the authenticator supports it, and only if the browser actually passes the extension through to the authenticator. As far as I know none of the major browsers pass the extension through, and I don't iOS supports the extension either. Either way there is no way to signal a preference for a particular method of user verification in advance.

The most you could do is use authenticator attestation to only allow authenticators that only provide acceptable authentication factors. I would advise against that, since you'd likely end up with such a narrow set of allowable authenticators that only very few of your users can satisfy it.

See also this related issue in the spec: https://github.com/w3c/webauthn/issues/1728

[igorlogvin]

Okay, Emil. Thanks for the answer.

It seems that we have no choice but to warn the user that if an attacker gains access to the phone, he will be able to use webauthn using the selection of a pin code, since iOs, after several unsuccessful attempts to read the face, suggests entering a pin code. Here, most likely, the options will not pass by the timeout that is set in the start options.

[emlun]

Yes, most authenticators allow fallback to a PIN or similar since biometrics can be unreliable even for the legitimate user. Also note that clients MAY override the timeout option if they like.