fix(passkey): require user verification in passkey response verification#8696
Merged
chaitanyapotti merged 3 commits intomainfrom May 6, 2026
Merged
fix(passkey): require user verification in passkey response verification#8696chaitanyapotti merged 3 commits intomainfrom
chaitanyapotti merged 3 commits intomainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit fe8f2e4. Configure here.
tanguyenvn
force-pushed
the
fix/TO-541-passkey-user-verification
branch
from
c307e6e to
c258e59
Compare
chaitanyapotti
approved these changes
May 6, 2026
pull Bot
pushed a commit
to dmrazzy/core
that referenced
this pull request
May 6, 2026
## Explanation **Current state** `PasskeyController` verifies registration and authentication with `requireUserVerification: true`, so the server expects the WebAuthn **user verification (UV)** flag on assertions. For enrollment-time `get()` options, `generatePostRegistrationAuthenticationOptions` already used `userVerification: 'required'`, but **`generateAuthenticationOptions`** (unlock / enrolled passkey) still used `userVerification: 'preferred'`. With `'preferred'`, the client may allow authenticators to skip UV, producing assertions **without** UV that the server then rejects—wasted ceremonies and confusing failures. **Solution** Set `userVerification: 'required'` on the object returned by `generateAuthenticationOptions`, matching the post-registration path and server verification. Add a unit test that enrolled flows emit `'required'`. Document the fix in `packages/passkey-controller/CHANGELOG.md` under the appropriate **Unreleased** or release section. **Not obvious** This is a client/server **hint alignment** fix, not a new API. Behavior may be stricter at `navigator.credentials.get()` (UV required), which matches what verification already enforced. **Scope** Changes are limited to `@metamask/passkey-controller` (implementation, tests, changelog). No dependency upgrades. ## References - Related: [MetaMask#8696](MetaMask#8696) *(replace or extend with your issue/PR links)* ## Checklist - [x] I've updated the test suite for new or updated code as appropriate - [ ] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate *(optional: JSDoc on `generateAuthenticationOptions` if you want to mention UV)* - [x] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [ ] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them *(N/A—patch-level behavior fix, no breaking API changes)* <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk release bookkeeping only (version bumps and changelog updates) with no functional code changes in this diff. > > **Overview** > Updates release metadata by bumping the root monorepo version to `965.0.0` and `@metamask/passkey-controller` to `2.0.1`. > > Adds a `passkey-controller` `2.0.1` changelog entry documenting stricter WebAuthn user verification requirements and the `generateAuthenticationOptions` alignment to `userVerification: 'required'`, and updates the changelog compare links accordingly. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 8891f9b. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
Current state:
@metamask/passkey-controllerverified registration and authentication responses withrequireUserVerification: false, so assertions without the WebAuthn UV (user verification) flag could still pass server-side verification. Authentication also documented that UV was intentionally optional for device compatibility.Why change: Requiring user verification strengthens passkey ceremonies by ensuring the authenticator performed user verification (PIN, biometrics, etc.) when the response is accepted.
Solution: Pass
requireUserVerification: trueto bothverifyRegistrationResponseandverifyAuthenticationResponseinPasskeyController. Remove the outdated comment that described UV as optional on the authentication path. Update unit tests that assert the options passed into the verify helpers so they expectrequireUserVerification: true.Consumer note: Callers should request UV-capable ceremonies (e.g. alignuserVerificationin WebAuthn options with this policy) so real clients do not fail verification after this change.References
fix/TO-541-passkey-user-verification)Changelog
packages/passkey-controller/CHANGELOG.mdwith an entry for this user-facing behavior change (recommended: note that verification now requires the UV flag).Checklist
Note
High Risk
Tightens WebAuthn verification by requiring the UV flag on both registration and authentication assertions, which can reject previously accepted responses on some authenticators/clients unless they request UV explicitly.
Overview
Enforces user verification (UV) across passkey enrollment and unlock flows by switching
verifyRegistrationResponseandverifyAuthenticationResponsecalls torequireUserVerification: true.Aligns client request generation with the new policy by setting
userVerification: 'required'ingenerateRegistrationOptions,generatePostRegistrationAuthenticationOptions, andgenerateAuthenticationOptions, and updates tests/changelog to reflect the stricter verification behavior.Reviewed by Cursor Bugbot for commit c258e59. Bugbot is set up for automated code reviews on this repo. Configure here.