Page History

...

• WhenUser Verification is set to No Required, this doesn’t mean that User Verification is never performed. For instance, when registering a FIDO2 security key that has PIN set, user verification might be required depending on the application. 

• WhenUser Verification isPreferred, the user experience depends on whether or not a PIN is set or a fingerprint is enrolled on the user’s security key. To achieve a uniform user experience, explicitly set userVerification to either Not Required orRequired according to your specific use case.

• WhenUser Verification is required, keep in mind that registration or authentication will fail in the following cases:

  1. the user has not set a PIN or enrolled a fingerprint on his or her security key. Some browsers will ask the user to set a PIN or enroll a fingerprint during registration, but others don’t.  So, the behaviour cannot in general be relied on.

  2. the user is using a security key that does not support user verification (for instance, a U2F key)

  3. the user is using a browser that does not support user verification (for instance, browsers that implement CTAP1 only)