server/require-user-verification

[MasterKale]

While dogfooding the server library I confused myself by not having a requireUserVerification option on verifyAuthenticationResponse() like there is on verifyRegistrationResponse(). Instead was the fidoUserVerification argument that felt clunky to use and actually ignored up if set to "preferred".

I remembered I'd added fidoUserVerification to satisfy a few tests in FIDO Conformance testing that require you to pass verification even when user presence was false or not set:

However, digging into why FIDO Conformance required servers to support up not being true when the latest spec requires up to always be true, it seems in 2019 when WebAuthn was in a very early state there was some discussion about the possibility of supporting "silent authentication". The spec never adopted the idea and now, as of today, user presence must be true.

I'm attempting to reopen an issue in the FIDO Conformance Tools repo to get them to reconsider these three tests as I don't think they're relevant anymore given the evolution of WebAuthn over the last three years.

In the meantime I've prepped this diff to make verifyAuthenticationResponse() simpler to use by matching how verifyRegistrationResponse() allows you to require the uv flag be true.