Confused about CTAP 2.0/2.1 pin UV

[Nehluxhes]

I am trying to get an assertion from a fido security key with a PIN set but no biometrics. That is as of libfido 1.15.0, fido_dev_has_uv return false, fido_dev_has_pin return true.
The relying party request is specifying userVerification to required.

I used to have this code (simplified for clarity)

fido_opt_t userVerification = (_request[UV] == "required" || _request[UV] == "preferred") ? FIDO_OPT_TRUE : FIDO_OPT_FALSE;

fido_assert_set_up(assertions.get(), FIDO_OPT_TRUE);

for (int i = 0; i < _deviceCount; ++i)
{
	std::unique_ptr<fido_dev, fido_deleter> device(fido_dev_new());
	const fido_dev_info_t* deviceInfo = fido_dev_info_ptr(_deviceList.get(), i);
        Logger::Info("Trying {:s} {:s}", fido_dev_info_manufacturer_string(deviceInfo), fido_dev_info_product_string(deviceInfo));
	int fidoError = 0;
	
	fido_assert_set_uv(assertions.get(), userVerification);
	fidoError = fido_dev_get_assert(device.get(), assertions.get(), pin);
	if (fidoError == FIDO_ERR_UNSUPPORTED_OPTION)
	{
	        // Getting here now when I used not to after updating libfido2
		Logger::Warning("Asking fido authenticator for unsupported user verification mode : {:d}", static_cast<DWORD>(userVerification));
		
		if (reqUserVerification != USER_VERIFICATION_REQUIRED)
		{
			fido_assert_set_uv(assertions.get(), FIDO_OPT_OMIT);
			Logger::Warning("Option not mandatory, retrying without user verification");
			fidoError = fido_dev_get_assert(device.get(), assertions.get(), pin);
		}
	}
	fido_dev_close(device.get());
}

When I wrote this code with libfido2 .1.6 this code was working, because the pin was considered a valid UV.
After updating libfido2 this stopped working (starting with 1.9) because according to CTAP 2.1 specifications there is now a difference between a client PIN and a "built-in pin", directly to be typed on the authenticator ? (does such a device even exists today ? )
CTAP 2.0 made no such distinction.

So what I want to know, is that a breaking change ? Am I missing something ? Is there a way for the relying party to specify the requirement to use the client PIN now ?

[LDVG]

Both 1.6.0 and 1.9.0 have separate methods to deal with built-in UV and (client) PIN verification. I'm sorry if you have seen different behaviors across versions. The behavior should certainly not have changed between the two and it's not something we have seen before. Do note that the behavior may also depend on the authenticator implementation.

As far as I can recall, CTAP 2.0 did indeed also make a distinction between Client PIN and built-in UV. Futhermore, the authenticator processing steps as outlined by the CTAP 2.0 specification explicitly say

If the options parameter is present, process all the options. If the option is known but not supported, terminate this procedure and return CTAP2_ERR_UNSUPPORTED_OPTION.

which appears to be what you are seeing (the uv option is not supported by your authenticator).

In WebAuthn, as you seem to be aware, there's no way for the RP to specify that it explicitly wants to perform one or the other type of user verification. Using libfido2, your client implementation can handle it as you see fit, but you should ideally not send an assertion with fido_assert_set_uv(assert, FIDO_OPT_TRUE) to an authenticator that does not support built-in UV.

For example (pseudo code, error handling omitted):

uv = FIDO_OPT_OMIT;
pin = NULL;

if (!strcmp(uvRequested, "preferred") || !strcmp(uvRequested, "required")) {
    if (fido_dev_has_uv(dev)) {
        uv = FIDO_OPT_TRUE;
    } else if (fido_dev_has_pin(dev)) {
        pin = prompt();
        if (!pin) error();
    } else if (!strcmp(uvRequested, "required")) {
        error();
    }
} 
fido_assert_set_uv(assert, uv);
fido_dev_get_assert(dev, assert, pin);

Further handling is of course necessary if, for example, you want to fall back to a PIN if built-in UV fails for some reason, and so on.

Do note that if you use libfido2 to verify the assertion, you should still set fido_assert_set_uv(assert, FIDO_OPT_TRUE) before calling fido_assert_verify() to instruct libfido2 to check that the user verification flag was set by the authenticator (even when a client PIN was used).

[Nehluxhes]

The fido key I am using for my test does support UV via fingerprint but it's not configured, so has_uv return false (in 1.15, in 1.6 there was no such method).

Doing a quick search with 'builtin' or 'built-in' in the CTAP 2.0 specs is not returning anything, and while the 2.1 specs is warning several times client Pin is not UV, there is no such warnings in the 2.0 specs, but I may have missed something, there is a lot of text.
It was definitely working in 1.6 though.

Anyways I am more interested in recent versions so thanks for confirming there is no webauthn option for the client PIN and your answer, I think will just add an option in my application configuration if it needs to be checked and the userVerification flag will just be used for built-in pin/biometrics.