[Webkit-unassigned] [Bug 215836] New: Authenticator selection breaking if user verification is set to required in WebAuthn

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Aug 25 20:31:34 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=215836

            Bug ID: 215836
           Summary: Authenticator selection breaking if user verification
                    is set to required in WebAuthn
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: iPhone / iPad
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: loginllama at gmail.com

This is related to Bug 213934

For CTAP2.0 and CTAP2.1_Pre authenticators that don't support internal user verification sending the UV option will cause a CTAP2_ERR_UNSUPPORTED_OPTION.

See authenticatorMakeCredential step 3 ( https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential ) and authenticatorGetAssertion Step 5.

During Authenticator selection if clientPin is set in getInfo options, the platform is sending a dummy request to the authenticator to make the led blink to determine what authenticator to use. 

This works when the webAuthn request contains User Verification absent/Discouraged/preferred.  However if User Verification required is sent by the RP the platform includes the uv=true option and that causes a CTAP2_ERR_UNSUPPORTED_OPTION error for CTAP2.0 authenticators that don't support internal UV. 

For Authenticators that do support internal UV it seems that some are performing internal UV (fingerprint etc) and not returning the expected error.

I expect that the CTAP 2.0 authenticators with no internal UV are also going to have a further problem after authenticator selection if both a pinToken and uv option are sent to them.

Bio Authenticators receiving both the uv option and pintoken may or may not work.  My test CTAP2.1 authenticators that ignore the UV option work but as client pin authenticators ignoring the fingerprint, and other authenticators like the biopass I tested are not working.

The first step would be to remove the uv option being sent with pintoken.  That should never happen in CTAP 2.0.  I hope that platforms MUST NOT do that is more clear in the CTAP2.1 spec.

This should explain why the MS test page that sets user verification required won't work with a YK 5Ci  but the same key will work just fine with a resident credential on a site with User Verification optional.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200826/f67fcac1/attachment.htm>

More information about the webkit-unassigned mailing list