fix: Use user_verification=preferred for ReAuth WebAuthn challenge (#1798)

darkfeline · gkevinzheng · chalmerlowe · web-flow · commit a474872eb58f · 2026-01-08T10:15:38.000-05:00
Since ReAuth is a second factor credential, it is not necessary to
require UV here. This was discussed with ReAuth folks.

Also, in practice, downstream clients disregard this because the U2F
protocol doesn't expose UV enforcement.

---------

Co-authored-by: Kevin Zheng &lt;147537668+gkevinzheng@users.noreply.github.com&gt;
Co-authored-by: Chalmer Lowe &lt;chalmerlowe@google.com&gt;
Co-authored-by: Anthonios Partheniou &lt;partheniou@google.com&gt;
diff --git a/packages/google-auth/google/oauth2/challenges.py b/packages/google-auth/google/oauth2/challenges.py
@@ -225,7 +225,7 @@ def _obtain_challenge_input_webauthn(self, metadata, webauthn_handler):
             challenge=self._unpadded_urlsafe_b64recode(challenge),
             timeout_ms=WEBAUTHN_TIMEOUT_MS,
             allow_credentials=allow_credentials,
-            user_verification="required",
+            user_verification="preferred",
             extensions=extension,
         )
 
diff --git a/packages/google-auth/tests/oauth2/test_challenges.py b/packages/google-auth/tests/oauth2/test_challenges.py
@@ -235,7 +235,7 @@ def test_security_key_webauthn():
         challenge=challenge._unpadded_urlsafe_b64recode(sk_challenge["challenge"]),
         timeout_ms=challenges.WEBAUTHN_TIMEOUT_MS,
         allow_credentials=allow_credentials,
-        user_verification="required",
+        user_verification="preferred",
         extensions=extension,
     )
 

Original file line number	Diff line number	Diff line change
`@@ -225,7 +225,7 @@ def _obtain_challenge_input_webauthn(self, metadata, webauthn_handler):`
`225`	`225`	`challenge=self._unpadded_urlsafe_b64recode(challenge),`
`226`	`226`	`timeout_ms=WEBAUTHN_TIMEOUT_MS,`
`227`	`227`	`allow_credentials=allow_credentials,`
`228`		`- user_verification="required",`
	`228`	`+ user_verification="preferred",`
`229`	`229`	`extensions=extension,`
`230`	`230`	`)`
`231`	`231`
Original file line number	Diff line number	Diff line change
`@@ -235,7 +235,7 @@ def test_security_key_webauthn():`
`235`	`235`	`challenge=challenge._unpadded_urlsafe_b64recode(sk_challenge["challenge"]),`
`236`	`236`	`timeout_ms=challenges.WEBAUTHN_TIMEOUT_MS,`
`237`	`237`	`allow_credentials=allow_credentials,`
`238`		`- user_verification="required",`
	`238`	`+ user_verification="preferred",`
`239`	`239`	`extensions=extension,`
`240`	`240`	`)`
`241`	`241`