[Webkit-unassigned] [Bug 213595] New: Is user activated event necessary for Touch ID/Face ID based WebAuthn?

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 25 05:30:47 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=213595

            Bug ID: 213595
           Summary: Is user activated event necessary for Touch ID/Face ID
                    based WebAuthn?
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ynojima at redhat.com

Congratulations for Touch ID/Face ID support! I really appreciate your efforts.

I found Safari restricts Touch ID/Face ID usage only within user activated events (Security keys are not restricted).
It seems reasonable regulation at first glance, but it also restricts calling WebAuthn within a callback of promise based asynchronous API.
Here is a pseudo code that Touch ID/Face ID is not available for registration:

```
someElement.onclick = function(){
  var optionsRequest = {
    // set some parameters
  };
  fetch('http://example.com/webauthn/attestation/options', {
      method: "POST",
      body: JSON.stringify(optionsRequest)
    })
  .then(function(response) {
    var options = generateOptionsFromServerResponse(response);
    return navigator.credentials.create(options); // WebAuthn is not directly called by user activated event 
  });
}
```

Calling REST API before navigator.credentials.create.get invocation to fetch options parameters like challenge and credentialId(s) are common pattern in many sites (ex. google.com, webauthn.io), and defined practices in FIDO document [1].
What is the objective of this restriction? I assumed it is a guard for unintended Touch ID/Face ID sensor activation, but there is a dialog asking for user consent before activating the sensors. It seems it's a sufficient guard.

As far as I know, restricting local authenticators to user activated events are not defined in WebAuthn specification. 

I suppose the restriction should be removed, or extend the allowed scope to promise callback chain to improve user experience.

[1] https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200625/2d509d0a/attachment.htm>

More information about the webkit-unassigned mailing list