[Webkit-unassigned] [Bug 250866] New: WebAuthn registration does not prompt for system password when passkey is created while macOS device is closed
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 19 15:02:20 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=250866
Bug ID: 250866
Summary: WebAuthn registration does not prompt for system
password when passkey is created while macOS device is
closed
Product: WebKit
Version: Safari 16
Hardware: Mac (Apple Silicon)
OS: macOS 13
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: matthew at millerti.me
Calls to `navigator.credentials.create()` in Safari 16.2 in macOS 13.1 on an M1 Pro Macbook Pro return a response with `uv:false` if `userVerification: "preferred"` is passed in while the MacBook is in "clamshell mode", that is the laptop is closed while connected to and used with an external monitor, keyboard, and mouse.
## Expected Result
The platform authenticator prompts for the system password/Apple Watch interaction to perform user verification.
## Reproduction Steps
1. Connect a MacBook to an external monitor, keyboard, and mouse
2. Close the MacBook
3. Make the following WebAuthn request in Safari
```
navigator.credentials.create({
publicKey: {
challenge: new Uint8Array([1, 2, 3]),
rp: {
name: 'SimpleWebAuthn Example',
id: 'localhost'
},
user: {
id: new Uint8Array([1, 2, 3]),
name: 'user at localhost',
displayName: 'user at localhost'
},
pubKeyCredParams: [
{ alg: -7, type: 'public-key' },
{ alg: -257, type: 'public-key' },
],
timeout: 60000,
attestation: 'none',
authenticatorSelection: {
userVerification: 'preferred',
},
},
});
```
4. Click Continue on the typical prompt to save a passkey in iCloud Keychain
5. Observe the following response containing `uv: false` (you can drop it into https://debugger.simplewebauthn.dev/ to confirm)
```
{
"id": "MjdWlXQGnJ6Q4HRy0Z06YGx4rL8",
"rawId": "MjdWlXQGnJ6Q4HRy0Z06YGx4rL8",
"response": {
"attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NZAAAAAAAAAAAAAAAAAAAAAAAAAAAAFDI3VpV0BpyekOB0ctGdOmBseKy_pQECAyYgASFYIJKaK0s4gnDCwe9BNIY2miE6VEPm3_FZCpA3FLeos7wyIlgg9GdSUZQdr_qjxdNC_2ontuzElx-tm0efIVpjNS5Vccc",
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiYUs4Ym12N1drYzhnOW5ySmJnVGZCb1o4aUNTODhFUFRscTdSdWpUNjFkayIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMCJ9",
"transports": [
"internal",
"hybrid"
]
},
"type": "public-key",
"authenticatorAttachment": "platform"
}
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230119/f8b41aba/attachment.htm>
More information about the webkit-unassigned
mailing list