WebAuthn Level 3 § 5.1.3 Step 22 Item 4 states the steps a user agent MUST follow when "conditional" mediation is used in conjunction with required user verification:
Let userVerification be the effective user verification requirement for credential creation, a Boolean value, as follows. If pkOptions.
authenticatorSelection.userVerificationis set to required
- If options.
mediationis set toconditionaland user verification cannot be collected during the ceremony, throw aConstraintError DOMException.- Let userVerification be
true.
On my iPhone 15 Pro Max running iOS 18.5, Safari + Passwords does not exhibit this behavior; instead an error is not reported and user verification is not performed (i.e., the UV bit is 0). Per the spec this results in a registration ceremony failure on the server which is made all the more "annoying" since the credential was created in Passwords forcing a user to then delete the credential. :
If the Relying Party requires user verification for this registration, verify that the UV bit of the
flagsin authData is set.
In contrast when I use Google Password Manager + Chrome on a Samsung Galaxy S24 running Android 15, user verification is enforced and the UV bit is 1.
Either the UV bit should be 1 after enforcing user verification or an error should be thrown since user verification cannot be performed.