Make user verification required by default

Author: MackinnonBuck

src/Identity/Core/src/IdentityPasskeyOptions.cs

@@ -69,15 +69,16 @@ public class IdentityPasskeyOptions
     /// </para>
     /// <para>
     /// Possible values are "required", "preferred", and "discouraged".
+    /// If set to <see langword="null"/>, the effective value is "preferred".
     /// </para>
     /// <para>
-    /// If left <see langword="null"/>, the browser defaults to "preferred".
+    /// The default value is "required".
     /// </para>
     /// <para>
     /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-userverificationrequirement"/>.
     /// </para>
     /// </remarks>
-    public string? UserVerificationRequirement { get; set; }
+    public string? UserVerificationRequirement { get; set; } = "required";
 
     /// <summary>
     /// Gets or sets the extent to which the server desires to create a client-side discoverable credential.

src/Identity/test/Identity.Test/IdentityPasskeyOptionsTest.cs

@@ -12,9 +12,9 @@ public void VerifyDefaultOptions()
 
         Assert.Equal(TimeSpan.FromMinutes(5), options.AuthenticatorTimeout);
         Assert.Equal(32, options.ChallengeSize);
+        Assert.Equal("preferred", options.ResidentKeyRequirement);
+        Assert.Equal("required", options.UserVerificationRequirement);
         Assert.Null(options.ServerDomain);
-        Assert.Null(options.UserVerificationRequirement);
-        Assert.Null(options.ResidentKeyRequirement);
         Assert.Null(options.AttestationConveyancePreference);
         Assert.Null(options.AuthenticatorAttachment);
         Assert.Null(options.IsAllowedAlgorithm);