[Webkit-unassigned] [Bug 266807] New: [Webauthn] makeCred with UV=discouraged will have additional authenticator selection action and defaulting to clientPin still

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=266807

            Bug ID: 266807
           Summary: [Webauthn] makeCred with UV=discouraged will have
                    additional authenticator selection action and
                    defaulting to clientPin still
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: macOS 14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nuno.sung at authentrend.com

[Environment]
- macOS: 12.7/14.2
- Browser: Safari 17.2
- Security key: Yubikey Bio, with clientPin and fingerprint provisioned already.
[Steps]
- Test make() in https://webauthntest.identitystandards.io with "User Verification=discouraged", others leave in `undifined` is okay.
[Issues]
1. User needs to touch the Yubikey as authenticator selection, but with other ""User Verification" values, all have no this behavior.
   - it should be due to this line, https://github.com/WebKit/WebKit/commit/6abf9728aa39e1729ff9da1dc35773398d68020d#diff-d2f6aadaece174d3e1b70540f21f75e2b85dc0a0d53cf3dedee1c807744c51d2R99
   - I think it's okay if the intension is to let user can select which no UV provisioned Security Key is okay.
2. After touching on the Yubikey, the PIN prompt will be popped up to ask for PIN, this will be the resolved issue of https://bugs.webkit.org/show_bug.cgi?id=213903 that only happen under "User Verification=discouraged" still.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231222/5175899b/attachment.htm>