-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to limit the number of available factors #200
Comments
Hi! That is not possible, and there's nothing this library can do about it. In theory you might be able to use the The most you could do is use authenticator attestation to only allow authenticators that only provide acceptable authentication factors. I would advise against that, since you'd likely end up with such a narrow set of allowable authenticators that only very few of your users can satisfy it. See also this related issue in the spec: w3c/webauthn#1728 |
Okay, Emil. Thanks for the answer. It seems that we have no choice but to warn the user that if an attacker gains access to the phone, he will be able to use webauthn using the selection of a pin code, since iOs, after several unsuccessful attempts to read the face, suggests entering a pin code. Here, most likely, the options will not pass by the timeout that is set in the start options. |
Yes, most authenticators allow fallback to a PIN or similar since biometrics can be unreliable even for the legitimate user. Also note that clients MAY override the |
Hello again @emlun ! I tried read this section.
I need to limit the number of factors to identify a user through webauth. I need to exclude pin code input from authentication. That is, for example, on an iPhone, if a face reads it incorrectly several times, then it is proposed to enter a pin code. So I need to somehow exclude this operation and leave only face or touch ID.
Can u please explain me how?
The text was updated successfully, but these errors were encountered: