diff --git a/README.md b/README.md
index fdf692c8..d900521c 100644
--- a/README.md
+++ b/README.md
@@ -237,7 +237,8 @@ begin
   webauthn_credential.verify(
     session[:authentication_challenge],
     public_key: stored_credential.public_key,
-    sign_count: stored_credential.sign_count
+    sign_count: stored_credential.sign_count,
+    user_verification: true, # needed for passwordless verification
   )
 
   # Update the stored credential sign count with the value from `webauthn_credential.sign_count`
@@ -384,11 +385,14 @@ Verifies the asserted WebAuthn credential is [valid](https://www.w3.org/TR/webau
 Mainly, that the client provided a valid cryptographic signature for the corresponding stored credential public
 key, among other extra validations.
 
+Note that the `user_verification: true` flag is required to ensure that the the authenticator has verified the user's identity before sending the credentials. See the following [CVE-2020-8236 writeup](https://hwsecurity.dev/2020/08/webauthn-pin-bypass/)
+
 ```ruby
 credential_with_assertion.verify(
   session[:authentication_challenge],
   public_key: stored_credential.public_key,
-  sign_count: stored_credential.sign_count
+  sign_count: stored_credential.sign_count,
+  user_verification: true # needed for passwordless verification
 )
 ```
 
diff --git a/docs/advanced_configuration.md b/docs/advanced_configuration.md
index 79813d4f..03e82228 100644
--- a/docs/advanced_configuration.md
+++ b/docs/advanced_configuration.md
@@ -101,7 +101,8 @@ session[:creation_challenge] = options.challenge
 begin
   webauthn_credential = relying_party.verify_registration(
     params[:publicKeyCredential],
-    params[:create_challenge]
+    params[:create_challenge],
+    user_verification: true
   )
 
   # Store Credential ID, Credential Public Key and Sign Count for future authentications
@@ -147,7 +148,8 @@ begin
   # in params[:publicKeyCredential]:
   webauthn_credential, stored_credential = relying_party.verify_authentication(
     params[:publicKeyCredential],
-    session[:authentication_challenge]
+    session[:authentication_challenge],
+    user_verification: true
   ) do
     # the returned object needs to respond to #public_key and #sign_count
     user.credentials.find_by(webauthn_id: webauthn_credential.id)