Closed equalsJeffH closed 6 years ago
In (2), options stipulating "require user verification", "require user presence test" are expected to be passed
Current language specifies to always perform a user presence test (unless user verification is performed), so the latter option does not currently exist (as discussed in https://github.com/w3c/webauthn/issues/629#issuecomment-336574658).
This is not actionable without a PR. @equalsJeffH - do you plan to create one soon - ideally during this week's FIDO plenary?
yes i plan to "create one soon" but meeting(s) I'm participating in have priority.
fixed by PR #782
clarify "authenticator model": RPs may perform feature-based authenticator selection with both
navigator.credentials.create()
(which invokes webauthn's #createCredential), andnavigator.credentials.get()
(which invokes webauthn's #getAssertion).In (1), options stipulating "require resident key" and "require user verification" are expected to be passed (see also #536, #524), e.g., ultimately to CTAP's authenticatorMakeCredential command.
In (2), options stipulating "require user verification", "require user presence test" are expected to be passed (see also #629, #524), e.g., ultimately to CTAP's authenticatorGetAssertion command.