Update documentation to avoid PIN bypass

cedarcode / webauthn-ruby

WebAuthn ruby server library ― Make your Ruby/Rails web server become a conformant WebAuthn Relying Party

https://rubygems.org/gems/webauthn

MIT License

649 stars 53 forks source link

Update documentation to avoid PIN bypass #372

Open tcannonfodder opened 1 year ago

tcannonfodder commented 1 year ago

This fixes #350, which pointed out a bug in certain browser/device combinations that allow bypassing the user's PIN if the user_verfication: true flag is not set.

https://hwsecurity.dev/2020/08/webauthn-pin-bypass/

tcannonfodder commented 1 year ago

I feel like that in order to help with the migration to passkeys, the docs should setup so that user_verification is required throughout.

brauliomartinezlm commented 1 year ago

Sorry for the delay. Will take a look ASAP