[Webkit-unassigned] [Bug 239807] New: [WebAuthn] .get() with UV = "discouraged" and no allowList has "PIN Unrecognized" error on some security key

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 27 03:10:00 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=239807

            Bug ID: 239807
           Summary: [WebAuthn] .get() with UV = "discouraged" and no
                    allowList has "PIN Unrecognized" error on some
                    security key
           Product: WebKit
           Version: Safari 15
          Hardware: Mac (Intel)
                OS: macOS 11
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nuno.sung at authentrend.com

Created attachment 458436

  --> https://bugs.webkit.org/attachment.cgi?id=458436&action=review

.get() PIN unrecognized

[Environment]
macOS Big Sur 11.6.5
MacBook Pro(Retina, 13-inch, Mid 2014)
STP: Release-143(Safari 15.4, WebKit 16614.1.7.7)
Safari: 15.4 (16613.1.17.1.13, 16613)
[Repro Steps]

1. Use an external security key with option.alwaysUv=true like Yubikey Bio and only setup clientPIN (no fingerprint)
2. Use website for test"https://webauthntest.azurewebsites.net/".
3. Click "+" to create credential, Require Resident Key=true, Attestation=Direct and others are default undefined > Click "Create"
4. Follow the step on screen to finish registration(Safari ask for touch > PIN > touch) >> Reg should be fine
5. Repeat step3~4 to create 3 credentials with different user-Info
6. Click "Get credential", UV=discourage, Use allowCredentials=unchecked
7. Click "GET" and enter correct clientPIN

[Result]
1. "Unrecognized PIN code" error is showing
2. The dialog for selecting multi-credentials cannot be showed up as other .get() UV settings to Undefined/Prefered/Required and failed to get Credential.

[Note]
I guess this maybe relative the modification of https://bugs.webkit.org/show_bug.cgi?id=206547, other browsers like Chrome/Edge will send .get() command with pinUvAuthToken directly in this case.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220427/31171f87/attachment.htm>

More information about the webkit-unassigned mailing list