Perhaps I didn’t express the question clearly. I think that the discussion that arose in the other threads is precisely about what do the specifications require?
Only if a rigorous reading of the published specifications actually require UV to be done during each authentication ceremony (as opposed to being able to “inherit” some form of UV that was done prior to the passkey authentication ceremony).
So this is exactly what the debate is: what do the standards actually require?
In the other thread, I wrote:
@DenBesten then responded:
[Edited to Add:] …the above exchange is an example of the debate at hand (which I’m hoping can be resolved in this thread).
Personally, I’m fairly certain that the WebAuthn standard does require UV to occur contemporaneously, during each individual passkey authentication ceremony — and I believe that you (@Nail1684) are of this opinion as well, based on what you have posted.*
I plan to post some sources for my assertion in this thread, which will either settle the question, or lead to additional discussion…
*However, I’m confused about your interpretation of what I had described as “the answer [being] `No’” vs. “Yes” — in the above context, “yes” means that to be compliant with all specifications, Bitwarden must require contemporaneous UV (as they’ve started doing since version 2024.6.0); conversely, “no” means that the new behavior is not required by the specs, and that the old (pre-2024.6.0) behavior was in fact already compliant with the specifications and standards.