Handling User Verification (UV) Flag in FIDO2 Conformance Tool Tests

41 views
Skip to first unread message

jorge alfonso

unread,
Sep 5, 2024, 12:40:52 PMSep 5
to FIDO Dev (fido-dev)

Hello,

I am currently running the FIDO2 Conformance Tool for server validation, and I am facing an issue with handling the User Verification (UV) flag across multiple tests. Specifically, the tool runs a variety of tests, some requiring user verification (userVerification: "required") and others not. However, I am unable to determine when the conformance tool expects the server to enforce user verification and check for the UV flag in the authenticatorData.

The problem I'm encountering is as follows:

  • If I enforce the UV flag check globally, certain tests that do not require user verification fail because the UV flag is missing.
  • If I do not enforce the UV flag check, tests that require userVerification fail because the UV flag is missing when it should be set.

I am looking for guidance on how to handle this situation where the tool performs multiple tests, some requiring UV and others not, without knowing in advance which specific tests are running.

Questions:
  1. Is there a specific way to determine from the request or response when userVerification is required for a given test?
  2. Is there a recommended approach for dynamically handling the UV flag check in scenarios where it's not clear whether user verification is enforced or optional?
  3. How should the server handle the conformance tool's different test cases without causing failures for tests that do not enforce user verification?

FIDO2 Test: F-4 For authenticator that supports counter: Send ServerAuthenticatorAssertionResponse with authenticatorData.counter is not increased, and check that server returns an error

Any advice or guidance would be greatly appreciated.

Thank you!

Shane Weeden

unread,
Sep 5, 2024, 4:44:55 PMSep 5
to jorge alfonso, FIDO Dev (fido-dev)
The request to /options for each test includes userVerification: required when it is needed. 

Sent from my iPhone

On 6 Sep 2024, at 2:40 AM, jorge alfonso <snoopy...@gmail.com> wrote:


--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8e5beca6-0dd2-4514-8131-0cb990ba3b68n%40fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages