What is User Verification in WebAuthn?

What is User Verification?#

User Verification in WebAuthn refers to the process by which an authenticator confirms a user's identity during the authentication ceremonies. This process is crucial for ensuring that the individual presenting the credential is the same one who registered it. Key aspects of User Verification include:

Authorization Gestures: May involve PIN codes, biometric recognition, or password entry.
Security and Integrity: Ensures that the user controls the credential's private key, without revealing their identity to the Relying Party.
Rate Limiting: Implements protection against brute force attacks by limiting failed authentication attempts.

For more details, we recommend taking a look at our recent blog post about WebAuthn User Verification & User Presence for Passkeys.

Key Takeaways#

User Verification in WebAuthn refers to the process by which an authenticator confirms a user's identity during the authentication ceremonies
Employs various modalities like biometrics or PIN codes for authorization.
Enhances security by ensuring that the user initiating the process is the credential's legitimate owner.

User Verification in WebAuthn plays a significant role in differentiating users and maintaining the security integrity of authentication processes. It is an essential component for Relying Parties to authenticate users securely without concrete identification.

Detailed Insights#

Process and Modalities: Involves checking whether the user is authorized to use the authenticator. This could be via biometrics, PINs, passwords, etc.
Privacy and Security Considerations: While it doesn't provide concrete user identification, it ensures the same user is consistently performing the authentication ceremonies.
Incorporation into Authentication Flow: User Verification criteria can be set by Relying Parties in the AuthenticatorSelectionCriteria to specify their requirements regarding this feature.

Subscribe to our Passkeys Substack for the latest news.

User Verification FAQs#

How does User Verification function in the WebAuthn authentication process?#

User Verification authenticates the user by verifying their identity through authorization gestures like biometrics or PINs, ensuring the user controlling the private key is authorized.

What role does User Verification play in enhancing WebAuthn's security?#

It enhances security by confirming the legitimacy of the user engaging in the authentication process, protecting against unauthorized access.

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.

See how VicRoads scaled passkeys to 5M+ users — alongside their existing IDP.

Read the case study

Are there different modalities for User Verification in WebAuthn?#

Yes, User Verification can involve various methods like biometric recognition, PIN entry, or password usage, depending on the authenticator's capabilities.

How does User Presence differ from User Verification in WebAuthn?#

User Presence confirms physical interaction with the authenticator, while User Verification authenticates the user's identity through methods like PINs or biometrics.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →

What is User Verification in WebAuthn?

Buy vs. Build Guide