User verification

Learn how user presence and user verification are leveraged for an MFA experience through passkeys

These are two concepts that are core to the WebAuthn specification, and are what enables passkey authenticators to facilitate multi-factor authentication. In this section we are going to provide a high level overview of the concepts.

User verification

User verification (UV) serves to ensure that the person authenticating to a service is in fact who they say they are for the purposes of that service. The relying party directs the authenticator to perform user verification, the authenticator performs user verification locally and signals to the application whether user verification was successful. User verification can take various forms, such as password, PIN, fingerprint, face scan, etc. The point is for the user to not only prove physical possession of the device, but ownership of it. A similar mental model is a PIN that is used on a debit or credit card.

User presence

With user presence (UP), the intent is not to identify the user, but to ensure that a user is physically present and in control of the authenticator. For instance, the YubiKey has a touch sensor that cannot be controlled by software. The primary function of user presence is to provide some indication that a user was physically in control of the device during an authentication or registration ceremony.