MDS isFreshUserVerificationRequired and UV flag

21 views
Skip to first unread message

Andrey Paramonov

unread,
Apr 26, 2022, 12:49:52 PMApr 26
to FIDO Dev (fido-dev)
Can someone please explain little bit more how FIDO metadata statement isFreshUserVerificationRequired attribute should be used during assertion?

Suppose, (isFreshUserVerificationRequired=true) in the metadata and (UV=false) in assertion authData. Should RP reject the assertion? Or do I misunderstand the purpose of isFreshUserVerificationRequired?

Ackermann Yuriy

unread,
Apr 26, 2022, 3:12:03 PMApr 26
to Andrey Paramonov, FIDO Dev (fido-dev)
Hey Andrey.

This is applicable to the legacy UAF. This flag is defined if use approval is cached, and then you need to check for how long.

This attribute was never really used, and was removed from MDS3 https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html


Regards.
Yuriy


Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand


On Tue, 26 Apr 2022 at 17:49, 'Andrey Paramonov' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:
Can someone please explain little bit more how FIDO metadata statement isFreshUserVerificationRequired attribute should be used during assertion?

Suppose, (isFreshUserVerificationRequired=true) in the metadata and (UV=false) in assertion authData. Should RP reject the assertion? Or do I misunderstand the purpose of isFreshUserVerificationRequired?

This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/26ea54df-f913-4fb4-9a70-1df37302253fn%40fidoalliance.org.

Andrey Paramonov

unread,
Apr 26, 2022, 3:27:12 PMApr 26
to FIDO Dev (fido-dev), Ackermann Yuriy, Andrey Paramonov
Thank you Yuriy!

We do use MDS3 though, and this attribute is still there in the spec and in some metadata statements from the latest blob. The spec doesn't say that it's going to be removed.

But, if it was only meant for legacy UAF, we'll ignore it for FIDO2 assertions.

Thanks again for the quick clarification.

Ackermann Yuriy

unread,
Apr 26, 2022, 3:47:03 PMApr 26
to Andrey Paramonov, FIDO Dev (fido-dev)
Duh. Sorry, my mistake. Yes, you may ignore it.

Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand

Reply all
Reply to author
Forward
0 new messages