[Webkit-unassigned] [Bug 249751] New: WebAuthn PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() does not account for iCloud Keychain sync enterprise policy

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 21 14:51:03 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=249751

            Bug ID: 249751
           Summary: WebAuthn
                    PublicKeyCredential.isUserVerifyingPlatformAuthenticat
                    orAvailable() does not account for iCloud Keychain
                    sync enterprise policy
           Product: WebKit
           Version: Safari 16
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: matthew at millerti.me

A customer of ours using a MacBook Pro running macOS Ventura 13 has iCloud Keychain sync disabled via enterprise policy. When they attempted to register the platform authenticator using WebAuthn, with `"authenticatorAttachment": "platform"` specified in the options passed to `navigator.credentials.create()`, Safari shows the expected, "you must enable iCloud Keychain sync to use the platform authenticator" prompt. The customer was using a managed device, though, and had no option to enable iCloud Keychain sync. They could not continue with registration.

The issue I want to report here is that the only reason we allowed the customer to attempt to perform platform authenticator registration is because we queried `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` to see if a platform authenticator was available, and was told "yes, a UV platform authenticator is available." However, according to enterprise policy and platform authenticator restrictions introduced in macOS 13, the platform authenticator is NOT available because iCloud Keychain sync had been disabled. I believe `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` should take this into account, and return `false` when the platform authenticator CANNOT be used due to platform authenticator prerequisites not being fulfilled due to enterprise policy, user preference, etc...

And to clarify, I'm not suggesting that `isUVPAA()` say _why_ it's returning false, just to be willing to return `false` for situations in which the platform authenticator is in absolute terms present but is not truly available.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221221/14844d3f/attachment.htm>

More information about the webkit-unassigned mailing list