This, exactly. I’m OK with skipping UV even when “required” by the RP as long as uv=false is returned. This allows the RP to decide how to react to non-cooperation (perhaps unlocking only lesser capabilities).
From a UX perspective, I would display one of these two messages:
and then alongside the UV action include the option to “Continue without verification”.
Help me understand your ranking. Is there something I am failing to consider, or do we simply weigh the risks differently?
My significant risk factors:
Non-UV Passkey advantages:
- Better MITM protections thanks to end-to-end (website to vault) encryption.
- Better protection from website compromise, due to the server only having the public key.
Password/TOTP advantages:
- Better vault-disclosure protection due to the ability to pepper or “eggs in two baskets”.
Equal considerations:
- Both are single-factor (“something you have” – the vault).
- Both are resistant to replay attacks.
I suggest that in the world of vaults and soft-tokens, password/TOTP is a only a single factor (“something you have”), just like non-UV Passkeys. In other words, I view non-UV as the status-quo, and UV as the gain.
I’m also not entirely sure how much the concept of MFA matters as we grow beyond simple passwords. In many cases, I feel better having a single high-security padlock than two lower-security padlocks with different keys.
It makes the contents of the vault insufficient to complete the authentication process, much like peppering or two-baskets can do for plain passwords. One’s level of faith in their vault security will determine how much this matters to them.
P.S. Hating on slow-mode. I would much rather respond to two different messages in separate posts to better keep things straight.