From d10be522ae9a61c963ead167664e13767c15cc9b Mon Sep 17 00:00:00 2001 From: "forkline-dev[bot]" Date: Sat, 21 Feb 2026 10:40:13 +0000 Subject: [PATCH] fix: resolve discoverable credentials login issue The root cause was in the AuthenticatorOptions configuration: 1. uv: Some(true) caused is_protected_by_uv() to return true 2. always_uv: Some(true) required UV for all operations 3. soft-fido2-ctap's MakeCredential lacks auto-UV logic that GetAssertion has 4. When browser didn't request UV, operations returned OperationDenied The fix: - uv: None - Don't claim built-in UV capability (passless uses notifications, not biometrics) - client_pin: Some(false) - PIN supported but not set - always_uv: None - Don't require UV for operations This allows discoverable credential flows to work via the request_up callback for user presence, without triggering UV requirement checks in soft-fido2. Resolves: #157 --- cmd/passless/src/authenticator.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/passless/src/authenticator.rs b/cmd/passless/src/authenticator.rs index 43b25c2..adea30b 100644 --- a/cmd/passless/src/authenticator.rs +++ b/cmd/passless/src/authenticator.rs @@ -301,17 +301,17 @@ impl AuthenticatorService { /// Create a new authenticator service pub fn new(storage: S, security_config: SecurityConfig) -> Result { let options = AuthenticatorOptions { - rk: true, // Resident keys (passkeys) - up: true, // User presence - uv: Some(true), // User verification - plat: true, // Platform authenticator - client_pin: None, // Client PIN support - pin_uv_auth_token: Some(true), // PIN UV auth token - cred_mgmt: Some(true), // Credential management enabled + rk: true, + up: true, + uv: None, + plat: true, + client_pin: Some(false), + pin_uv_auth_token: Some(true), + cred_mgmt: Some(true), bio_enroll: None, large_blobs: None, ep: None, - always_uv: Some(true), + always_uv: None, make_cred_uv_not_required: Some(true), };