...
There are 3 options for user verification
Not Required | This value indicates that user verification is not required or is discouraged when initiating registration or authentication. |
Preferred | This value indicates that the service prefers user verification for the operation if possible, but will not fail if user verification is not enabled. |
Required | This value indicates that the service requires user verification for the operation and will fail the operation if user verification is not enabled or was not carried out successfully |
Note that:
When
User Verification
is set toNo Required
, this doesn’t mean that User Verification is never performed. For instance, when registering a FIDO2 security key that has PIN set, user verification might be required depending on the application.When
User Verification
isPreferred
, the user experience depends on whether or not a PIN is set or a fingerprint is enrolled on the user’s security key. To achieve a uniform user experience, explicitly setUser Verification
to either Not Required orRequired
according to your specific use case.When
User Verification
isrequired
Required
, keep in mind that registration or authentication will fail in the following cases:the user has not set a PIN or enrolled a fingerprint on his or her security key. Some browsers will ask the user to set a PIN or enroll a fingerprint during registration, but others don’t. So, the behaviour cannot in general be relied on.
the user is using a security key that does not support user verification (for instance, a U2F key)
the user is using a browser that does not support user verification (for instance, browsers that implement CTAP1 only)
...