[Webkit-unassigned] [Bug 213903] [WebAuthn] authenticators supporting internal uv and pinToken defaulting to client pin
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 2 15:58:12 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=213903
login Llama <loginllama at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jiewen_tan at apple.com,
| |loginllama at gmail.com
--- Comment #1 from login Llama <loginllama at gmail.com> ---
iOS 14 performs client PIN authentication with any authenticator advertising clientPin= True in authenticatorGetInfo. Most authentication that support internal uv also support pinToken.
For authentication that have both clientPin=True and uv=true in CTAP2.0 (Logic changes in CTAP2.1) if uv is required, the platform should first do authenticatorGetCredential with the uv option set to 1.
The authenticator will return an assertion or an error.
CTAP2_ERR_OPERATION_DENIED 0x27 returned if the authenticator doesn't want pin fallback.
CTAP2_ERR_PIN_REQUIRED 0x35 returned if uv mismatch wanting a fallback to clientPin
If the error is CTAP2_ERR_PIN_REQUIRED then the platform should then do:
authenticatorClientPIN (0x06) getKeyAgreement
authenticatorClientPIN (0x06) getPINToken
Then retry authenticatorGetCredential with pinAuth.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200702/b205aecb/attachment.htm>
More information about the webkit-unassigned
mailing list