Skip to main content

User verification vs. user presence

User verification is the process authenticator devices employ in order to locally authorize the creation of a credential during registration or an assertion during authentication. This process can be brought about using an authorization gesture performed by the user. This gesture can be for example: touch of an authenticator device plus pin code entry, presenting a fingerprint or facial scan or using voice recognition. The purpose of user verification is to ensure that the user performing a registration or authentication operation to is in fact who they claim they are. Although it does not guarantee explicit user identification, it ensures that 2 subsequent and successful operations leveraging user verification for the same credential are performed by the same user.

User verification vs. user presence#

User verification can be distinguished from a simple test of user presence. The purpose of user presence is not to identify individual users but to ensure that a user is physically present. During user presence a user interacts with an authenticator by simply touching it (other modalities may also exist).

note

Require user verification in passwordless multi-factor authentication scenarios. User presence is most suitable for second factor authentication flows, where users usually already provide a password as a user identifying shared secret.

User verification with the Hanko API#

When initializing a registration with the Hanko API, the authenticator type to be used for registration can be specified in the request body using the options.authenticatorSelection.userVerification attribute.

When initializing an authentication the authenticator type to be used for authentication can be specified in the request body using the options.userVerification attribute.

Possible user verification values are:

  • "required": indicates that user verification is required for the operation. The operation will fail if no user verification is performed.
  • "preferred": indicates that the RP prefers user verification for the operation if possible, but will not fail the operation if no user verification was performed (i.e. if only proof of user presence was provided).
  • "discouraged": indicates that the relying party does not want user verification employed during the operation.
Request user verification on registration - /v1/webauthn/registration/initialize
{
"options": {
"authenticatorSelection": {
"userVerification": "required",
"authenticatorAttachment": "platform",
"requireResidentKey": false
},
"attestation": "none"
},
"user": {
"id": "e3be22a7-13cf-4235-a09c-380dfd44ac04",
"name": "john.doe@example.com",
"displayName": "John Doe"
}
}