Skip to content

fix: Use user_verification=preferred for ReAuth WebAuthn challenge #1798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chalmerlowe merged 7 commits into from
Jan 8, 2026
Merged

fix: Use user_verification=preferred for ReAuth WebAuthn challenge #1798

chalmerlowe merged 7 commits into from
Jan 8, 2026
+2 −2

Conversation

@darkfeline
Copy link
Contributor

@darkfeline darkfeline commented Jul 30, 2025

Since ReAuth is a second factor credential, it is not necessary to require UV here. This was discussed with ReAuth folks.

Also, in practice, downstream clients disregard this because the U2F protocol doesn't expose UV enforcement.

@darkfeline darkfeline requested review from a team as code owners July 30, 2025 00:21
@darkfeline
fix(reauth): Use UV=preferred for ReAuth WebAuthn challenge
3fc1dec 
Since ReAuth is a second factor credential, it is not necessary to
require UV here.  This was discussed with ReAuth folks.

Also, in practice, downstream clients disregard this because the U2F
protocol doesn't expose UV enforcement.
@darkfeline
Copy link
Contributor Author

darkfeline commented Jul 30, 2025

@cpisunyer who added this originally. Apologies if you're the wrong person to tag or if I missed some contributor task.

@gkevinzheng gkevinzheng requested a review from a team as a code owner December 17, 2025 19:24
gkevinzheng
gkevinzheng previously approved these changes Dec 17, 2025
View reviewed changes
@gkevinzheng gkevinzheng changed the title Use UV=preferred for ReAuth WebAuthn challenge fix: Use UV=preferred for ReAuth WebAuthn challenge Dec 17, 2025
@gkevinzheng gkevinzheng requested review from gkevinzheng and removed request for gkevinzheng December 17, 2025 20:09
@gkevinzheng gkevinzheng dismissed their stale review December 17, 2025 20:11

Requesting an issue be filed for this.

@chalmerlowe chalmerlowe self-assigned this Dec 30, 2025
@chalmerlowe chalmerlowe added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 30, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 30, 2025
@parthea parthea added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Jan 5, 2026
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Jan 5, 2026
@chalmerlowe
Copy link
Contributor

chalmerlowe commented Jan 8, 2026

Adding some clarification for future me OR other reviewers:

It looks like this applies to security policy for FIDO2/WebAuthn security keys.

As I understand it, there are two levels of proof a security key can provide and how they fit into Multi-Factor Authentication (MFA).

  1. User Presence (UP) vs. User Verification (UV)
    User Presence (UP): This is the lowest level of proof. It typically requires a simple physical action, like tapping a button or touching a gold sensor on the key. It proves that a human is physically there, but it does not prove which human it is.
    User Verification (UV): This is a higher level of proof. It requires the key to verify the user’s identity, usually via a PIN or biometric (like a fingerprint). It proves that the correct authorized user is present.

In many cases, for certain types of logins (ReAuth), a simple touch (UP) is "good enough," even if the device doesn't check a PIN or fingerprint (UV).

The logic follows this breakdown:

  • Initial Login (The First Factor): Usually, the user has already entered a password. The password serves as the "identity" verification.
  • Second Factor (The "Possession" Factor): Since the password already verified who you are, the security key's job is simply to prove you have the physical device.
  • ReAuth (Re-authentication): When you perform a sensitive action (like changing an email address) while already logged in, the system wants to "step up" security. Since your identity was established by your password at login, a simple touch of the key (UP) is considered sufficient to confirm you still have the device in your hand.
  1. Why this distinction exists
    This policy is often implemented to support legacy or simpler hardware.
    Older Keys (U2F/CTAP1): Many older security keys do not have fingerprint readers or the ability to store a PIN. They only support User Presence (the touch button).
    User Experience (UX): Entering a PIN every time you do a minor task (ReAuth) can be annoying. If you are already in a trusted session, a quick tap is a much faster "proof of possession."

@chalmerlowe chalmerlowe added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 8, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 8, 2026
@chalmerlowe chalmerlowe changed the title fix: Use UV=preferred for ReAuth WebAuthn challenge fix: Use user_verification=preferred for ReAuth WebAuthn challenge Jan 8, 2026
chalmerlowe
chalmerlowe reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

@chalmerlowe chalmerlowe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

chalmerlowe
chalmerlowe approved these changes Jan 8, 2026
View reviewed changes
Copy link
Contributor

@chalmerlowe chalmerlowe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chalmerlowe chalmerlowe merged commit 3f88a24 into googleapis:main Jan 8, 2026
15 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parthea parthea parthea approved these changes

@chalmerlowe chalmerlowe chalmerlowe approved these changes

@gkevinzheng gkevinzheng Awaiting requested review from gkevinzheng

Assignees

@chalmerlowe chalmerlowe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@darkfeline @chalmerlowe @parthea @gkevinzheng @yoshi-kokoro