Disable user verification (UV), make it configurable

[brynwhyman]

Overview

We've had some reports of operating systems requiring a PIN to be entered before a Yubikey can be used for authentication. Any subsequent use of the Yubikey then appears to force a PIN before use.

Reading some documentation, this appears to be defined by a feature called user verification (UV) - something only applicable to FIDO2 and WebAuthn.

Yubico recommend explicitly enabling or disabling user verification to avoid unintended, or unexpected user interaction: "For second factor flows, we recommended to set UV to discouraged to prevent a PIN prompt when using a YubiKey for authentication."

Expected outcome

• UV is configured to be set to discouraged by default.
• The UV type can be configured by a Developer via yaml
• Documentation is created to explain the purpose of the default option being set to discouraged; and when a Developer might want to change this.

When might a Developer want to change this? From Yubico:
the reason we say it should be discouraged when used in 2FA is because the user has already provided username + password and thus an additional PIN will be a very clunky UX. The PIN should be prompted for only in a FIDO2 usernameless/passwordless flow for example, because then it will itself act as the 2F in addition to the user having possession of the YubiKey itself.

Notes

See spec: https://www.w3.org/TR/webauthn/#userVerificationRequirement

Yubico summary: https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/User_Presence_vs_User_Verification.html which outlines the broad scenarios that this could kick off: "User verification can take various forms, such as password, PIN, fingerprint, public key credential, etc."

[brynwhyman]

Note, Yubico has provided this recommendation in a document sent directly to the module maintainers.

[robbieaverill]

Good find. Maybe it can be disabled by default but configurable.