It seems that the WebAuthn spec will soon require clients to upgrade to userVerification: "required" when PRF is requested. (Cf. w3c/webauthn#2337 (comment).) I think this is a good direction, and we should enforce this for WebAuthn requests with PRF.
(Note that this is for WebAuthn PRF only. For CTAP2-level requests, the hmac-secret can still have separate seeds for UV vs. non-UV, and that should not be changed.)
It seems that the WebAuthn spec will soon require clients to upgrade to
userVerification: "required"when PRF is requested. (Cf. w3c/webauthn#2337 (comment).) I think this is a good direction, and we should enforce this for WebAuthn requests with PRF.(Note that this is for WebAuthn PRF only. For CTAP2-level requests, the
hmac-secretcan still have separate seeds for UV vs. non-UV, and that should not be changed.)