Missing documentation of an option needed to avoid a vulnerability allowing Passwordless to be bypassed if a developer doesn't double-check it on the server-side

[bockp]

As laid out in this article from August 2020:

https://hwsecurity.dev/2020/08/webauthn-pin-bypass/

Android 7+ (possibly other phone OS too ?) currently don't have a properly configured NFC system for Yubikeys when it comes to Passwordless login.

Their authentication system (as well as the above articles Browser-based exploit code) allows the browser-side authenticator to ignore the requirement of User Verification and send in a challenge that is recognized as valid, thus allowing a user to log in using just Username + NFC yubikey, without checking the UV at all.

You've already got one test in your test suite that has the proper code, so it is supported already:

webauthn-ruby/spec/webauthn/authenticator_assertion_response_spec.rb

Line 133 in 9544853

user_verification: true

Just need a mention in this piece of documentation that if using a key as Passwordless the "user_verification: true" needs to be in the .verify() code or it won't properly check it's a valid Passwordless (User Presence + User Verification) login, and an exploit can bypass it.

https://github.com/cedarcode/webauthn-ruby#publickeycredentialwithassertionverifychallenge-public_key-sign_count