Summary: | [WebAuthn] problem with uv = required for makeCredential | ||
---|---|---|---|
Product: | WebKit | Reporter: | login Llama <loginllama> |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED WORKSFORME | ||
Severity: | Normal | CC: | dwaite, jiewen_tan, loginllama |
Priority: | P2 | ||
Version: | Safari Technology Preview | ||
Hardware: | iPhone / iPad | ||
OS: | Other | ||
Bug Depends on: | |||
Bug Blocks: | 181943 |
Description
login Llama
2020-07-02 12:04:49 PDT
Doing some more testing I discovered that uv = required from the RP will work if the authenticator advertises support for internal uv in its getInfo. There is not a one to one mapping between uv in webAuthn and the UV option in makeCredential. I have tried a Yubico Blue Security Key with PIN set, same model with no PIN, and a Feitian BioPass on https://webauthntest.azurewebsites.net with UV = required, and cannot reproduce. Can you suggest a more detailed way of reproducing the issue? Reproduced on webauthn.io, webauthn.me as well as our own service Note: steps to reproduce are done on Safari Version 14.0 (16610.1.23.1.3) on Big Sur 20A5343i with a Yubikey 5ci (first production run) Steps to reproduce: 1. Navigate to https://webauthn.me/debugger 2. Enable `authenticatorSelection` 3. Enable `requireResidentKey` 4. Enable `userVerification` 5. Set `userVerification` to `required` If key has no PIN previously configured, the key will flash but the UP gesture will be ignored If the key has a PIN configured, the key will not flash If userVerification is set to `preferred`, the user will be asked to enter a PIN after the user gesture. On second UP gesture, the operation will succeed I see similar behavior with #213895 (but that requires making a credential first) Without (yet) reviewing code, my suspicion is that this might be a filtering operation where the user verification flag in authenticatorGetInfo is used. The `uv` flag is only meant to indicate the authenticator performs internal verification, such as via a biometric sensor or PIN entry pad. Looking into it more, I suspect that uv=true and no pin auth during discovery is the reason that the authenticator does not flash in the "PIN set" case. |