[Webkit-unassigned] [Bug 249751] New: WebAuthn PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() does not account for iCloud Keychain sync enterprise policy
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 21 14:51:03 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=249751
Bug ID: 249751
Summary: WebAuthn
PublicKeyCredential.isUserVerifyingPlatformAuthenticat
orAvailable() does not account for iCloud Keychain
sync enterprise policy
Product: WebKit
Version: Safari 16
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: matthew at millerti.me
A customer of ours using a MacBook Pro running macOS Ventura 13 has iCloud Keychain sync disabled via enterprise policy. When they attempted to register the platform authenticator using WebAuthn, with `"authenticatorAttachment": "platform"` specified in the options passed to `navigator.credentials.create()`, Safari shows the expected, "you must enable iCloud Keychain sync to use the platform authenticator" prompt. The customer was using a managed device, though, and had no option to enable iCloud Keychain sync. They could not continue with registration.
The issue I want to report here is that the only reason we allowed the customer to attempt to perform platform authenticator registration is because we queried `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` to see if a platform authenticator was available, and was told "yes, a UV platform authenticator is available." However, according to enterprise policy and platform authenticator restrictions introduced in macOS 13, the platform authenticator is NOT available because iCloud Keychain sync had been disabled. I believe `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` should take this into account, and return `false` when the platform authenticator CANNOT be used due to platform authenticator prerequisites not being fulfilled due to enterprise policy, user preference, etc...
And to clarify, I'm not suggesting that `isUVPAA()` say _why_ it's returning false, just to be willing to return `false` for situations in which the platform authenticator is in absolute terms present but is not truly available.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221221/14844d3f/attachment.htm>
More information about the webkit-unassigned
mailing list