Option to turn off "User Presence"

duo-labs / webauthn.io

The source code for webauthn.io, a demonstration of WebAuthn.

https://webauthn.io

BSD 3-Clause "New" or "Revised" License

635 stars 116 forks source link

Option to turn off "User Presence" #108

Closed ted944 closed 8 months ago

ted944 commented 9 months ago

Hi,

In the current version, the "User Presence" is not an option and is always required.

I'd like to have the option to be able to turn it on or off to test tokens that don't have the "tap button" for user presence signal.

It'd be great to have the option to test different tokens with different form factors.

Thanks

MasterKale commented 8 months ago

There must be a test of user presence during a WebAuthn ceremony as per the spec:

https://www.w3.org/TR/webauthn-2/#test-of-user-presence

If an authenticator cannot provide this then it's likely not FIDO2-compatible. I can't see the benefit right now in allowing testing of non-FIDO2-compliant hardware on webauthn.io to result in successful registration and authentication as the site is purpose-built to preview spec-compliant WebAuthn functionality as best it can.