Closed unoukujou closed 4 months ago
userVerification
defaults to "preferred"
on webauthn.io, see Advanced Settings dropdown:
This leaves the door open for OS's and browsers to make decisions about the user's experience - in some cases user verification will get skipped because the RP has signaled that it is okay with this happening.
To avoid this behavior, RP's can mark userVerification
as "required"
. The user will more consistently get prompted to e.g. provide security key PIN.
As a security key user, the alwaysuv
CTAP2.1 setting gives you agency to require PIN entry regardless of the RP's settings. Some security key vendors like Yubico offer tools like their Yubico Authenticator desktop app to help configure settings like alwaysuv
on the security key itself.
As a security key user, the
alwaysuv
CTAP2.1 setting gives you agency to require PIN entry regardless of the RP's settings. Some security key vendors like Yubico offer tools like their Yubico Authenticator desktop app to help configure settings likealwaysuv
on the security key itself.
Well thank goodness for that. I'll look into it. I find it quite strange that this is even normal. If I set a pin, I don't need anything coming out of that key without the pin. Worst part is, if I only tested it with Safari, I would have gone on thinking I have my key locked down. Who knew I could just use a different browser and bypass the pin. Really doesn't make sense but I'm glad there is a setting to fix that. Thanks for the info.
On iOS safari, log in asks me for my yubikey PIN.
On android chrome, I log in to that same account with the same yubikey, only it doesn't ask for my pin?
So what's going on? If I lose my yubikey, someone who finds it can bypass the PIN by just using chrome on android?
How can I make sure my yubikey never authenticates without the pin?