[Webkit-unassigned] [Bug 231043] New: WebAuthn getAssertion for CTAP2 devices using CTAP1

Thu Sep 30 16:12:04 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=231043

            Bug ID: 231043
           Summary: WebAuthn getAssertion for CTAP2 devices using CTAP1
           Product: WebKit
           Version: Safari 15
          Hardware: Mac (Intel)
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: loginllama at gmail.com

This is a regression.  Safari was using CTAP2 for CTAP2.0 and CTAP2.1 devices.

In Safari 15.1 and STP 15.4 I am still seeing Safari using CTAP2.0 for make credential, but all getAssertion commands are using CTAP1/U2F to talk to CTAP2.0 and CTAP2.1 authenticators.

If the RP specifies User Verification: required then the external authenticator doesn't flash,  Safari appears not to send the request to the authenticator.  

I have tested with older CTAP2.0 authenticators so I don't think it is anything new with getInfo on the keys that is causing this issue.

I recall that this happened before because of a getinfo parsing error causing Safari to fall back to CTAP1.   However since this is not impacting makeCredential it is probably something else.

Currently any site that sets User Verification required (EG Microsoft) is going to be broken with roaming authenticators.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210930/a1814f14/attachment.htm>