User verification was required, but user could not be verified

[seepine]

Describe the issue

I can startRegister with icloud but verifyRegistrationResponse got error of User verification was required, but user could not be verified

113 |     if (requireUserPresence && !flags.up) {
114 |         throw new Error('User presence was required, but user was not present');
115 |     }
116 |     // Enforce user verification if specified
117 |     if (requireUserVerification && !flags.uv) {
118 |         throw new Error('User verification was required, but user could not be verified');

Reproduction Steps

Just https://simplewebauthn.dev/docs/packages/browser#startregistration steps

Expected behavior

can work

Code Samples + WebAuthn Options and Responses

1. api gen option

import { generateRegistrationOptions } from '@simplewebauthn/server'

// ...
return await generateRegistrationOptions({
      rpName: 'Passkey Auth',
      rpID: 'localhost',
      userName: 'Job',
      attestationType: 'none',
      authenticatorSelection: {
        residentKey: 'preferred',
        userVerification: 'preferred',
        authenticatorAttachment: 'platform'
      }
    })

eg

{
    "challenge": "BQjAfQuDSPNrI5nc1xxxxxxZzQIMwwrj6tk8dUpvYRJuY",
    "rp": {
        "name": "Passkey Auth",
        "id": "localhost"
    },
    "user": {
        "id": "moruL6uRt7z0A-hvPpxxxxxxTQMYP8qc3OsFME-VKgU",
        "name": "macmini",
        "displayName": ""
    },
    "pubKeyCredParams": [
        {
            "alg": -8,
            "type": "public-key"
        },
        {
            "alg": -7,
            "type": "public-key"
        },
        {
            "alg": -257,
            "type": "public-key"
        }
    ],
    "timeout": 60000,
    "attestation": "none",
    "excludeCredentials": [],
    "authenticatorSelection": {
        "residentKey": "preferred",
        "userVerification": "preferred",
        "authenticatorAttachment": "platform",
        "requireResidentKey": false
    },
    "extensions": {
        "credProps": true
    },
    "hints": []
}

2. vue web

import {
  startRegistration
} from '@simplewebauthn/browser'

    const option = (await passkeyRegisterOptions())    // from api resp of step1
    let credential = await startRegistration({
        optionsJSON: option,
        useAutoRegister: false,
      })
    await passkeyRegisterVerify(credential) // this api see step3

3. api verify

      const verification = await verifyRegistrationResponse({
        response: req.body,
        expectedChallenge: challenge,
        expectedOrigin: req.headers.origin,
        expectedRPID: 'localhost'
      })

and the req.body eg

{
  id: "NRwqbIsavMVC8Ata7d6XA4ideb0",
  rawId: "NRwqbIsavMVC8Ata7d6XA4ideb0",
  response: {
    attestationObject: "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NZAAAAAPv8MAcVTk7MjAtuAgVX170AFDUcKmyLGrzFQvALWu3elwOInXm9pQECAyYgASFYICAz0aAvKugAlIEW9o0kw9QHDZQzIIP4NN0_8qcpPWRjIlggv7TycMvZlH4PH8F6DwyMVgcWxJzu4TN5UVKeipQV0fc",
    clientDataJSON: "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiQlFqQWZRdURTUE5ySTVuYzFVejlZWnpRSU13d3JqNnRrOGRVcHZZUkp1WSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDAwMCIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
    transports: [ "hybrid", "internal" ],
    publicKeyAlgorithm: -7,
    publicKey: "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIDPRoC8q6ACUgRb2jSTD1AcNlDMgg_g03T_ypyk9ZGO_tPJwy9mUfg8fwXoPDIxWBxbEnO7hM3lRUp6KlBXR9w",
    authenticatorData: "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NZAAAAAPv8MAcVTk7MjAtuAgVX170AFDUcKmyLGrzFQvALWu3elwOInXm9pQECAyYgASFYICAz0aAvKugAlIEW9o0kw9QHDZQzIIP4NN0_8qcpPWRjIlggv7TycMvZlH4PH8F6DwyMVgcWxJzu4TN5UVKeipQV0fc",
  },
  type: "public-key",
  clientExtensionResults: {
    credProps: {
      rk: true,
    },
  },
  authenticatorAttachment: "platform",
}

Dependencies

• OS: macOS15.0
• Browser: Microsoft Edge 131.0.2903.112(arm64)
• Authenticator: icloud device

SimpleWebAuthn Libraries

$ npm list --depth=0 | grep @simplewebauthn
├── @simplewebauthn/[email protected]
├── @simplewebauthn/[email protected]
# ...

Additional context

[MasterKale]

Hello @seepine, you should be able to address this issue by adding the following to your call to verifyRegistrationResponse():

const verification = await verifyRegistrationResponse({
  response: req.body,
  expectedChallenge: challenge,
  expectedOrigin: req.headers.origin,
  expectedRPID: 'localhost',
  requireUserVerification: false,  // <-- Add this argument
})

Alternatively if you want to require user verification take place then update your registration options generation code to require it:

return await generateRegistrationOptions({
  rpName: 'Passkey Auth',
  rpID: 'localhost',
  userName: 'Job',
  attestationType: 'none',
  authenticatorSelection: {
    residentKey: 'preferred',
    userVerification: 'required',  // <-- Changed this to 'required'
    authenticatorAttachment: 'platform',
  }
});

See the yellow "A WORD OF CAUTION ABOUT USER VERIFICATION" here that might help you decide whether or not you want to require UV:

https://simplewebauthn.dev/docs/advanced/passkeys#verifyregistrationresponse

[seepine]

@MasterKale thanks!