emlun
commented
3 days ago Hi!
It is not possible to specify this in the input parameters; this is not a limitation of the library but an intentional limitation in the WebAuthn standard.
It is theoretically possible to obtain the information from the success response - but note, theoretically. This could be done in one of two ways:
- Request attestation during the registration, and verify that the attestation is trusted. This will let you know for certain what kind of authenticator the user is using. Thus by extension you'll know that the user must have used one of the forms of UV that authenticator supports - for example, a YubiKey 5 could only perform UV using PIN. If the authenticator supports more than one method, then you cannot know which of the two was used - for example, a YubiKey Bio could perform UV using either PIN or fingerprint, and there is no way to tell which was used.
-
Request the [
uvmextension](https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.3/com/yubico/webauthn/data/AssertionExtensionInputs.AssertionExtensionInputsBuilder.html#uvm()). If supported by the authenticator, this extension will return a representation of which user verification method(s) were used, as defined in the extension definition.However, the caveat here is that very few authenticators support this extension, so you can't count on getting this extension output in most cases. YubiKeys do not support this extension, for example. Also, the browser may or may not pass the extension through; I don't know which browsers currently do and don't.
Those are the only two options as far as I know.
MarklearnML
Hello, thank you for your excellent work. I would like to know whether it is possible to specify the authentication method when initiating registration/authentication, that is, to use only face recognition or only a PIN code for authentication. Alternatively, after successful authentication, is it possible to obtain the user's authentication method?
Looking forward to your reply.
Best wishes