--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b79673c1-89bc-4670-ae5f-05bb641bcb2an%40fidoalliance.org.
Hi,
User Verification is not mandatory for Discoverable Credentials (aka Resident Keys), at least not in the CTAP2 protocol.
However, in this case the authenticator shall not return any PII if it supports any form of UV – which in turn makes credential selection impossible for the user because the client cannot prompt any meaningful information to identify the account.
Probably on client-side the UV is enforced for RK if the authenticator supports UV, even if set to discouraged, to avoid this UI/UX issue.
Best regards,
--
Thomas Duboucher
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/AFE78D16-A6D8-442B-91BF-31B87B98ADE7%40gmail.com.