[Webkit-unassigned] [Bug 213934] New: [WebAuthn] pinToken and uv option are mutually exclusive in CTAP2.0

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 3 13:04:55 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=213934

            Bug ID: 213934
           Summary: [WebAuthn] pinToken and uv option are mutually
                    exclusive in CTAP2.0
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: iPhone / iPad
                OS: Other
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: loginllama at gmail.com

iOS 14

Using a usb attached authenticator that has a getInfo options member that includes both clientPin=True and uv=True, causes the platform to first getPINToken then do makeCredential and getAssertion with both pinToken and the uv=1 option.   This is valid in CTAP 2.1 for a three factor authentication.  

In that flow the platform first prompts for clientPin then performs getPINToken.  
It then performs getAssertion with the pinToken and uv=True to force the authenticator to do uv (typically fingerprint) the authenticator must validate both before returning a assertion.

So while technically allowed it is probably not the intent to have iOS do a three factor authentication. 

I would expect for a authenticator that has a getInfo options member that includes both clientPin=True and uv=True in CTAP2.0. (The flow changes in CTAP2.1 but lets start with this.)
1) perform getAssertion or makeCredential with the uv option set to true.
2) If addassertion is returned then return to RP
3) If operation-denied  is returned then error
4) If pin-required is returned fall back to client PIN
5) If the getInfo options member doesn't include clientPin=True  Then error
6) prompt user for PIN
7) Negotiate shared secret
8) Do getPintoken
9) redo getAssertion with pinToken
10) joy

I skipped some steps depending on the size of the allow list. There is info on maximum credentialID size and max number of credentials in getInfo now that was added in FIDO_2_1_Pre that you should be using as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200703/40f83e09/attachment.htm>

More information about the webkit-unassigned mailing list