MDS isFreshUserVerificationRequired and UV flag
43 views
Skip to first unread message
Andrey Paramonov
Apr 26, 2022, 12:49:52 PM4/26/22
to FIDO Dev (fido-dev)
Can someone please explain little bit more how FIDO metadata statement isFreshUserVerificationRequired attribute should be used during assertion?
Suppose, (isFreshUserVerificationRequired=true) in the metadata and (UV=false) in assertion authData. Should RP reject the assertion? Or do I misunderstand the purpose of isFreshUserVerificationRequired?
Ackermann Yuriy
Apr 26, 2022, 3:12:03 PM4/26/22
to Andrey Paramonov, FIDO Dev (fido-dev)
Hey Andrey.
This is applicable to the legacy UAF. This flag is defined if use approval is cached, and then you need to check for how long.
This attribute was never really used, and was removed from MDS3 https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html
I suggest you start using MDS3 format instead: https://medium.com/webauthnworks/webauthn-fido2-whats-new-in-mds3-migrating-from-mds2-to-mds3-a271d82cb774
Regards.
Yuriy
Yuriy Ackermann
FIDO, Identity, Standardsskype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand
On Tue, 26 Apr 2022 at 17:49, 'Andrey Paramonov' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:
Can someone please explain little bit more how FIDO metadata statement isFreshUserVerificationRequired attribute should be used during assertion?Suppose, (isFreshUserVerificationRequired=true) in the metadata and (UV=false) in assertion authData. Should RP reject the assertion? Or do I misunderstand the purpose of isFreshUserVerificationRequired?
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited. --
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/26ea54df-f913-4fb4-9a70-1df37302253fn%40fidoalliance.org.
Andrey Paramonov
Apr 26, 2022, 3:27:12 PM4/26/22
to FIDO Dev (fido-dev), Ackermann Yuriy, Andrey Paramonov
Thank you Yuriy!
We do use MDS3 though, and this attribute is still there in the spec and in some metadata statements from the latest blob. The spec doesn't say that it's going to be removed.
But, if it was only meant for legacy UAF, we'll ignore it for FIDO2 assertions.
Thanks again for the quick clarification.
Ackermann Yuriy
Apr 26, 2022, 3:47:03 PM4/26/22
to Andrey Paramonov, FIDO Dev (fido-dev)
Duh. Sorry, my mistake. Yes, you may ignore it.
Yuriy Ackermann
FIDO, Identity, Standardsskype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand
Reply all
Reply to author
Forward
0 new messages