28Eyl
What is the point of required user verification in WebAuthn?
User verification in WebAuthn can either be required, preferred, or discouraged. The last two are a hint to the authenticator that may be ignored. I see how they could be used to prevent client-side user verification if the server has already asked for a password in a previous step.
Required does sound like a requirement, not a hint. But it could easily be ignored/faked by a malicious authenticator. There is no way for the relying party to know. How is this different from "preferred"? Or is this just meant to be a stronger hint?
In other words: What guarantees does the relying party get? Do I understand correctly that it cannot be sure that user verification has really happened?
