Open tcannonfodder opened 1 year ago
This fixes #350, which pointed out a bug in certain browser/device combinations that allow bypassing the user's PIN if the user_verfication: true flag is not set.
user_verfication: true
https://hwsecurity.dev/2020/08/webauthn-pin-bypass/
I feel like that in order to help with the migration to passkeys, the docs should setup so that user_verification is required throughout.
user_verification
Sorry for the delay. Will take a look ASAP
This fixes #350, which pointed out a bug in certain browser/device combinations that allow bypassing the user's PIN if the
user_verfication: true
flag is not set.https://hwsecurity.dev/2020/08/webauthn-pin-bypass/