[Webkit-unassigned] [Bug 232501] New: Authenticator is not falling back to clientPIN after internal verification fails and is blocked.

Fri Oct 29 11:32:10 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=232501

            Bug ID: 232501
           Summary: Authenticator is not falling back to clientPIN after
                    internal verification fails and is blocked.
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: loginllama at gmail.com

Thanks for fixing https://bugs.webkit.org/show_bug.cgi?id=213903

I tested that it works on OSX STP 134.

However in testing I discovered that Safari is not detecting that internal UV is blocked and falling back to getPinToken (CTAP2.0) or getPinUvAuthTokenUsingUvWithPermissions (CTAP2.1).

Safari should fall back when it receives the CTAP2.0CTAP2_ERR_PIN_REQUIRED error and/or when the CTAP2.1 uvRetries <= 0.

That is the current behavior of Chrome and Windows.  

I grant you that the CTAP2.0 spec is less clear on this point than one might hope.

CTAP2.1 https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html is clearer on how platforms should fall back to clientPin for CTAP2.0 authenticators than the CTAP2.0 spec was.

Regards

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211029/64fedd9b/attachment.htm>