You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
WebAuthn API has isUVPAA() for RP to check whether the current user device has available platform authenticator.
This API may return true if the following conditions are met:
The platform provides or has attached (bound) WebAuthn authenticators
The authenticator is enabled (feature turned on) and user verification method (like PIN or biometrics) is enrolled on the authenticator if it supports uv.
Sometime RP wants to promote WebAuthn even in case where the user has platform authenticator but it is not enabled.
If there is such API, RPs are willing to check and show some guides for users to enable the authenticator depending on the policy.
I'm not sure how much of the users' devices do have the platform authenticator but not enabled for Android/Win10.
The text was updated successfully, but these errors were encountered:
(a) The authenticator is enabled (feature turned on) and (b) user verification method (like PIN or biometrics) is enrolled on the authenticator (c) if it supports uv.
You are arguing that isUVPAA() ought to be more rigorously specified wrt (a) and (b)? I'm not sure whether that would be viewed as reasonable by client platform implementors.
@equalsJeffH Just returning true/false to RP is not sufficient to handle UVPAA. As @jafisher-microsoft suggested, we would get more information. This is also good for platform vendors since they are able to get more chances to enable such new features.
Currently, Win10 and Android does not return true even it has supported authenticator on the platform if it is not enabled.
WebAuthn API has isUVPAA() for RP to check whether the current user device has available platform authenticator.
This API may return true if the following conditions are met:
Sometime RP wants to promote WebAuthn even in case where the user has platform authenticator but it is not enabled.
If there is such API, RPs are willing to check and show some guides for users to enable the authenticator depending on the policy.
I'm not sure how much of the users' devices do have the platform authenticator but not enabled for Android/Win10.
The text was updated successfully, but these errors were encountered: