[Webkit-unassigned] [Bug 213894] [WebAuthn] problem with uv = required for makeCredential

Wed Aug 12 15:46:37 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=213894

David Waite <dwaite at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dwaite at gmail.com

--- Comment #3 from David Waite <dwaite at gmail.com> ---
Reproduced on webauthn.io, webauthn.me as well as our own service

Note: steps to reproduce are done on Safari Version 14.0 (16610.1.23.1.3) on Big Sur 20A5343i with a Yubikey 5ci (first production run)

Steps to reproduce:
1. Navigate to https://webauthn.me/debugger
2. Enable `authenticatorSelection`
3. Enable `requireResidentKey`
4. Enable `userVerification`
5. Set `userVerification` to `required`

If key has no PIN previously configured, the key will flash but the UP gesture will be ignored

If the key has a PIN configured, the key will not flash

If userVerification is set to `preferred`, the user will be asked to enter a PIN after the user gesture. On second UP gesture, the operation will succeed

I see similar behavior with #213895 (but that requires making a credential first)

Without (yet) reviewing code, my suspicion is that this might be a filtering operation where the user verification flag in authenticatorGetInfo is used. The `uv` flag is only meant to indicate the authenticator performs internal verification, such as via a biometric sensor or PIN entry pad.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200812/5b83410a/attachment-0001.htm>