Feature: Allowing Setting UserVerification Value in Passkey
Description: Currently, for the Passkey MFA option under Auth0, the UserVerification value is hardcoded to Preferred. There is currently not any way to update this to Required. We would like this to be updated to allow for Admin access to the value.
Use-case: Our implementation of Auth0 supports the data entry of medical information that includes PII. Due to the overhead of security policies and our need to adhere to global governance of all kinds, the inability to set UserVerification to Required means that Passkey as a solution does not meet our security requirements. Specifically, the storage of a passkey within Google Password Manager in Chrome on a Windows device translates the Preferred UserVerification value by allowing any user who is in that browser on that machine to single click approval for the passkey without secondary require authentication. To meet the security requirements of our implementation, specifically to meet governance adherence matching GDPR, we need to block this authentication path by setting UserVerification to Required.