How important is setting requireUserVerification to true?

[hwhmeikle]

Our current implementation of passkeys sets the requireUserVerification flag to true as recommended on the passkeys guide.

This uv validation is also recommended in this article https://web.dev/passkey-registration/#save-the-credential

Some of our user's have raised issues related to creating passkeys with the Dashlane (a password manager) browser extension. It seems as though the passkey generated by Dashlane is not return the correct uv flags, which is causing it to fail the validation run as a result of requireUserVerification: true.

Is this something that Dashlane have implemented incorrectly, or is there an argument to be made that requireUserVerification could be set to false?

[justinsoong]

@Mikescops thought you might be in a position to help here, is this the limitation with extensions?

[Mikescops]

Thanks for the ping @justinsoong

Hey @hwhmeikle, as Matt mentioned "preferred" leaves it open to the passkey provider to do the user verification. In our current implementation, entering the master password of the account is the only way to do the UV, and, because it is painful for users we have decided that if it's in "preferred" mode we will skip it to avoid friction and let the flag to false.
In our next iterations we're going to add more ways of guaranteeing the UV that are more convenient for the end users.

If user verification is important for you we recommend using "required", if not it's preferable to remove the check server side.
Another solution, but I'm not very fond of this one, is to discriminate the provider and run custom logic (ie: only letting the uv: false pass if it's coming from Dashlane).

cc @irew may have some extra info about this

[hwhmeikle]

Thanks for the explanation. The rationale behind skipping user verification in this case makes sense, as you say, it's not the most ideal UX. Interested to see how the future iterations get around this.

[MasterKale]

Take a look at this reply I made last month to a similar question:

#416 (reply in thread)

I should probably update the docs to reflect the fact that general passkeys guidance suggests RP's should be okay with occasionally not getting UV with userVerification: "preferred", and thus requireUserVerification doesn't always need to be true when verifying responses. It very much depends on the RP's security modeling, though, so it's difficult to say "everyone should do this."

Hope that helps.

[hwhmeikle]

That definitely helps, thank you!