Bug 213610

Summary: [WebAuthn] Support device passcode as well as biometrics
Product: WebKit Reporter: Christiaan Brand <cbrand>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: bfulgham, eirbjo, jiewen_tan, lingho, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=181943

Description Christiaan Brand 2020-06-25 10:33:36 PDT 
From the demo, it looks like WebAuthn "platform" support is restricted to biometrics. This is challenging from an accessibility standpoint as well as just in-general for user experience. Is it possible to add the ability to unlock keys using "anything the device can be unlocked with" here? This seems to be in-line with how WebAuthn platform authenticators are implemented elsewhere (Windows Hello, Android, etc). There doesn't seem to be a security benefit to doing it the way it's currently being done, unless all platform keys are blown away on biometric profile change, which I think will be unfortunate.
Comment 1 Radar WebKit Bug Importer 2020-06-25 18:01:22 PDT 
<rdar://problem/64783399>
Comment 2 Jiewen Tan 2020-06-25 18:40:35 PDT 
(In reply to Christiaan Brand from comment #0)
> From the demo, it looks like WebAuthn "platform" support is restricted to
> biometrics. This is challenging from an accessibility standpoint as well as
> just in-general for user experience. Is it possible to add the ability to
> unlock keys using "anything the device can be unlocked with" here? This
> seems to be in-line with how WebAuthn platform authenticators are
> implemented elsewhere (Windows Hello, Android, etc). There doesn't seem to
> be a security benefit to doing it the way it's currently being done, unless
> all platform keys are blown away on biometric profile change, which I think
> will be unfortunate.

The current implementation does allow fallback to passcode if Touch ID/Face ID fails multiple times in a row. It's an interesting point to offer it directly to users with some forms of accessibility features turned on.
Comment 3 eirbjo 2020-06-26 00:48:35 PDT 
My two cents:

I would love to see the Apple Watch added to "anything the device can be unlocked with".

We have tried out Apple Watch unlock since it was enabled in Chrome 84 (now in beta), and we think it provides a great user experience. 

Touch ID works nicely with your hands actually on the Mac keyboard. With your Mac connected to an external monitor and keyboard, it may require more effort, either because the sensor falls out of reach from your position, or because the lid is closed.

Because the Apple Watch is always on your hand, it provides a very close, connected and intuitive user experience. Also works great in demos :-)
Comment 4 Brent Fulgham 2022-06-23 13:46:38 PDT 
I think most of the goals of this suggestion have been handled with the new Passkeys initiative.