Closed jwag956 closed 2 years ago
It would be very useful for RPs if they also got the AuthenticatorDataFlags so that decisions about whether the authenticator satisfied single or multi-factor authentication could be made.
These determinations are already possible as part of authentication response verification. The library always requires that up
flag be True, as per the spec (see Step 16) which at a minimum requires single-factor to have been completed. You can optionally require uv
be True as well by setting require_user_verification=True
when invoking verify_authentication_response()
, which should satisfy the multi-factor authentication requirement. As such I don't see a need for returning authData flags for any further determination as there's nothing else to really do with that data.
Yes - you are correct - I just need to move around some code to determine which 'factor' I need before calling into the verify_authentication_response...
Currently, on successful verify_authentication_response, a VerifiedAuthentication struct is returned - this currently has the credential_id and sign_count. It would be very useful for RPs if they also got the AuthenticatorDataFlags so that decisions about whether the authenticator satisfied single or multi-factor authentication could be made.
I am more than happy to issue a PR if you think this is a good idea.