During WebAuthn registration in Windows, why does Windows require User Verification, even when the Relying Party does not specify the User Verification requirement, or specifies it as preferred? Is it possible to change OS settings in order to allow a user to skip User Verification when it is not required?
As of Jan. 2023, when using a Windows browser to register a WebAuthn-compatible roaming authenticator (e.g. YubiKey) to a service that does not explicitly set the User Verification value to discouraged (i.e. User Verification is either preferred or simply not set), Windows will require the user to either:
A) register a User Verification method (such as a FIDO2 PIN), if one has not already been set
-OR-
B) authenticate using the User Verification method, if one has already been set
...in order to allow the WebAuthn registration to proceed.
This is even true when the Relying Party does not require that User Verification should/must be used during authentication, such that User Verification will be required to register the WebAuthn device, but then never requested when the device is actually used to authenticate.
It is unclear to me whether Windows has always used this logic, or if it has recently been introduced (I'd love to know). This seems incredibly hostile to end-users who are not aware of what is happening or how to properly manage something like a FIDO2 PIN (read: nearly everyone).
I understand the importance of utilizing User Verification when WebAuthn is used as a "passwordless" auth method. However, WebAuthn is not used in only "passwordless" scenarios, and is arguably more commonly used similar to U2F as a form of multi-factor authentication in addition to a password. Given this, I am simply dumbfounded (and frankly, a bit enraged) by Window's behavior and the confusion it causes.
