[Webkit-unassigned] [Bug 205222] New: [WebAuthn] Make credential fails if a pin is set on the authenticaor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 13 15:58:18 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=205222

            Bug ID: 205222
           Summary: [WebAuthn] Make credential fails if a pin is set on
                    the authenticaor
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: loginllama at gmail.com

This impacts iOS and OSX stable and tech preview.

There are at least two bugs involved in this. 

Credentials can be made on Authenticators that support Fido_2_1_Pre.
Unfortunately I think that is a side efect of Bug 198408 not having landed.
It could also be some other issue parsing GetInfo.  
It looks like on those keys GetInfo parsing fails and Safari falls back to using U2F/CTAP1 to talk to the authenticator.
That is allowing the Make Credential to work. Note that with these keys CTAP1 is always used by Safari to make the credential pin set or not.

Older keys with just the two elements (["U2F_V2", "FIDO_2_0"]) seem to parse GetInfo and start CTAP2.
The authenticator will respond with CTAP2_ERR_PIN_REQUIRED if a pin is set on the device and you don't send a valid pinToken.
It seems that Safari hangs and times out at that point.

The best thing to do is implement client PIN.
Given that may take longer you should do what Chrome used to and look at "clientPin" in authenticatorGetInfo (0x04) and if that is set to true you should use U2F/CTAP1 to make the credential to avoid needing a PIN.

I will note that it was probably a mistake to require PIN to make non resident credentials in CTAP 2_0 however we have a bunch of authenticators that require it.  Firefox avoids the issue by only speaking CTAP1 to keys. 
The CTAP 2.1 spec is being changed to allow making non resident credentials without a pin entry, but we aren't going to see any of those authenticators for some time, as they wouldn't pass the current CTAP2.0 certification.

There may also be an issue with sending the UV option to authenticators that support only clientPin.  That may related to a problem parsing GetInfo or some other logic.  Some authenticators violate the spec and don't throw an error. 
If Bug 198408 is sorted out it will be easier to tell what is happening.

Thanks for releasing WebAuthn on iOS.  It is working fine for U2F authenticators but once large numbers of people get there hands on this other bugs we didn't notice surface.  It shows the interest that people started trying it right away.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191213/004b1981/attachment.htm>

More information about the webkit-unassigned mailing list