User Verification (UV) requires the user to either perform a biometric gesture or enter the device PIN for the authenticator to authorize creation and use of the credential. In some cases, UV also satisfies a test of User Presence (such as when the authenticator itself has a biometric built-in or the device PIN is entered directly into the authenticator).
What is missing is any mention of a password being used for UV. Also, the language here is being vague on purpose regarding the authenticator and what it is, the language seems to match well with hardware authenticators, and to an extent platform authenticators, but it's not so clear if this applies also to 3rd party software authenticators. In WebAuthn-speak this all makes sense, but my assumption is the audience are not going to be speaking WebAuthn very fluently if at all.
Proposed changes
This could be split into platform, hardware keys, and 3rd party authenticators. I don't know if any hardware authenticator can require a password for UV. Many 3rd party passkey providers will probably depend on a password as a way of executing UV.
I like how GitHub refer to this:
Passkeys are a password replacement that validates your identity using touch, facial recognition, a device password, or a PIN.
So perhaps we can re-word so something like:
User Verification (UV) requires the user to perform a biometric gesture, enter the device PIN, or input a device/session password to enable the authenticator to authorize the creation or utilization of the credential. In some cases, UV also satisfies a test of User Presence (such as when the authenticator itself has biometry built-in or the device PIN is entered directly into the authenticator).
Though I don't have a suggestion on how to improve the last part:
...such as when the authenticator itself has biometry built-in or the device PIN is entered directly into the authenticator
Issue with existing content
Link to content
https://passkeys.dev/docs/reference/terms/#user-verification-uv
What is the issue?
The current content is the following:
What is missing is any mention of a password being used for UV. Also, the language here is being vague on purpose regarding the authenticator and what it is, the language seems to match well with hardware authenticators, and to an extent platform authenticators, but it's not so clear if this applies also to 3rd party software authenticators. In WebAuthn-speak this all makes sense, but my assumption is the audience are not going to be speaking WebAuthn very fluently if at all.
Proposed changes
This could be split into platform, hardware keys, and 3rd party authenticators. I don't know if any hardware authenticator can require a password for UV. Many 3rd party passkey providers will probably depend on a password as a way of executing UV.
I like how GitHub refer to this:
So perhaps we can re-word so something like:
Though I don't have a suggestion on how to improve the last part:
Which feels awkward and hardware keys-centric.