From 44af0f76dca5321584fa5d40ee80fdbd3d44246d Mon Sep 17 00:00:00 2001
From: Arnaud Dagnelies <arnaud.dagnelies@gmail.com>
Date: Mon, 14 Oct 2024 06:35:59 +0000
Subject: [PATCH] added platform behaviors regarding user verification

---
 docs/concepts.md | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/concepts.md b/docs/concepts.md
index 0936bfc..5d59558 100644
--- a/docs/concepts.md
+++ b/docs/concepts.md
@@ -126,7 +126,7 @@ This is very important to ensure protection against replay attacks. Such an atta
  
 By verifying server-side, that the signed authentication payload contains the freshly generated challenge, it ensures a copied and reused payload will not work since the challenge.
 
-
+You can use `server.randomChallenge()` to generate a cryptographically strong password.
 
 
 ### Device-bound vs synced
@@ -150,6 +150,23 @@ While device-bound keys offer a higher security level, synced software-based key
 I'm not quite sure of all factors that might affect this, but I had both kind of keys in Windows. 
 
 
+## `userVerification` behavior depends on platform
+
+| **iCloud Keychain**      | `discouraged` | `preferred` |	`required`
+| Biometrics available	   | ✅ | ✅ | ✅
+| Biometrics not available | ❌ | ❌ | ✅
+
+| **Google password manager (desktop)** | `discouraged` | `preferred` |	`required`
+| Biometrics available                  | ❌ | ✅	| ✅	
+| Biometrics not available              | ❌ | ❌ | ✅	
+
+| **Windows Hello**        | `discouraged` | `preferred` |	`required`
+| Biometrics available	   | ✅	| ✅	| ✅
+| Biometrics not available | ✅	| ✅	| ✅
+
+> ⚠️ Be warry of most password managers. As you will see below, most of them even lie about the `userVerified` flag in the response.
+
+
 
 🪳 Compatibility and bugs
 -------------------------