The step 12 mandating in section 7.2 mandating UP:
Verify that the User Present bit of the flags in authData is set.
Some of the authenticators, such as smart cards, don't have UP. So in this case UV should be enough.
I thought that UP was required to prevent silent authentications from being solicited via webauthn.
Some of the authenticators, such as smart cards, don't have UP. So in this case UV should be enough.
Depends on what you mean by "UP". They don't have a "button" dedicated to user presence, but their operation (tapping a NFC smart card to a reader, inserting a buttonless USB authenticator) does actually prove to a relying party that the user is present.
their operation (tapping a NFC smart card to a reader, inserting a buttonless USB authenticator) does actually prove to a relying party that the user is present.
I agree, but it's debatable whether a USB device left plugged in for an extended time (perhaps with a PIN cached for the session) should still be regarded as guaranteeing user presence.
@sbweeden UP or UV. If UV set to false, UP is request. V.V.
The table explaining UP/UV combinations at the end of https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#authenticatorGetAssertion (right before https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#authenticatorGetNextAssertion) may be helpful in considering this issue. It says:
Flags | Meaning
-- | --
"up"=0 "uv"=0 | Silent authentication
"up"=1 "uv"=0 | Physical user presence verified, but no user verification
"up"=0 "uv"=1 | User verification performed, but physical user presence not verified (a typical "smartcard scenario")
"up"=1 "uv"=1 | User verification performed and physical user presence verified
@herrjemand At this point i'm not sure anything needs to be done here
@nadalin The question is whether the guidance in the webauthn spec (that UP must ALWAYS be set in authenticate responses from the authenticator) is correct?
At the very least we need to make that determination.
At this moment, we don't allow silent authentication and every response has UP set. There is no scenario where UV is set and UP is not set. "Smart Card" scenario doesn't exist right now as platform has to look for user interaction before doing anything. So no change is required right now.
@herrjemand Discussed on call and closing no action
Most helpful comment
At this moment, we don't allow silent authentication and every response has UP set. There is no scenario where UV is set and UP is not set. "Smart Card" scenario doesn't exist right now as platform has to look for user interaction before doing anything. So no change is required right now.