added userPresence check with userVerification = true

[cheeeeenais]

User Presence check is not checked in case User Verification is true.

[santiagorodriguez96]

Seems like this is intended: https://github.com/cedarcode/webauthn-ruby/pull/74

I'm wondering... would it be possible for a response to have the UV set without having the UP flag set?

According to this thread that shouldn't be possible 🤔

[santiagorodriguez96]

Having said that I do think it makes sense to follow the Webauthn spec and always require the UP bit to be set.

I'm just trying to understand if this is actually a critical issue or not 🙂

[cheeeeenais]

Hey Santiago,It seems like nobody actually knows what UP is intended to be, as the specification is also rather vague. I think for completeness you can follow the standard by verifying always only UP (or by adding the UP=0 and UV=1 check). I don't believe this is anything critical. Am I allowed to publish this finding in my research work? Thanks in advance! Peizhou ChenOn 26 Jan 2024, at 19:58, Santiago Rodriguez @.***> wrote: Having said that I do think it makes sense to follow the Webauthn spec and always require the UP bit to be set. I'm just trying to understand if this is actually a critical issue or not 🙂

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

[santiagorodriguez96]

Am I allowed to publish this finding in my research work?

Yeah, for sure!