mozilla
[CTAP2] Support some kind of "user_verification = preferred"
Right now, the API only has a boolean for the option user_verification, which will produce a rather nondescript "Option not allowed"-error, if set to true, but the token has no PIN set (or other kind of verification mechanism).
Webauthn defines the option as
enum UserVerificationRequirement {
"required",
"preferred",
"discouraged"
};
where "preferred" is defined as:
This value indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set.
On the CTAP-side of things, we only know, if the token has a PIN (or other user verification method) set, somewhere in the middle of the register or sign-process (when getting the GetInfo-response). I think we have three options here:
- Return a more descriptive error, so that users of this crate can modify their request (to
uv = false) and submit it again - Introduce our own "preferred", where the definition would deviate from webauthn ("Do uv, if the token supports it, otherwise don't")
- Silently downgrade any
uv = true-request touv = false, if the token can't do it.
IMHO, option 3 is wrong. Option 2 might be nice from a usability POV, but might also be confusing because of the different definition.
