Bug 213894
Summary: | [WebAuthn] problem with uv = required for makeCredential | ||
---|---|---|---|
Product: | WebKit | Reporter: | login Llama <loginllama> |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED WORKSFORME | ||
Severity: | Normal | CC: | dwaite, jiewen_tan, loginllama |
Priority: | P2 | ||
Version: | Safari Technology Preview | ||
Hardware: | iPhone / iPad | ||
OS: | Other | ||
Bug Depends on: | |||
Bug Blocks: | 181943 |
login Llama
In iOS 14 developer beta
The authenticator has a pin set:
The Authenticator is attached over USB/Lightning.
If in WebAuthn uv is unset, set to discouraged or preferred registration works as expected the user is prompted for a pin and the credential is created.
If in WebAuthn uv is set to required, the user is prompted to insert and activate the security key. After doing UP the dialogue is stuck until it times out.
Given that uv is always required to make a credential in CTAP2.0 this seems like a bug.
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
login Llama
Doing some more testing I discovered that uv = required from the RP will work if the authenticator advertises support for internal uv in its getInfo.
There is not a one to one mapping between uv in webAuthn and the UV option in makeCredential.
Jiewen Tan
I have tried a Yubico Blue Security Key with PIN set, same model with no PIN, and a Feitian BioPass on https://webauthntest.azurewebsites.net with UV = required, and cannot reproduce. Can you suggest a more detailed way of reproducing the issue?
David Waite
Reproduced on webauthn.io, webauthn.me as well as our own service
Note: steps to reproduce are done on Safari Version 14.0 (16610.1.23.1.3) on Big Sur 20A5343i with a Yubikey 5ci (first production run)
Steps to reproduce:
1. Navigate to https://webauthn.me/debugger
2. Enable `authenticatorSelection`
3. Enable `requireResidentKey`
4. Enable `userVerification`
5. Set `userVerification` to `required`
If key has no PIN previously configured, the key will flash but the UP gesture will be ignored
If the key has a PIN configured, the key will not flash
If userVerification is set to `preferred`, the user will be asked to enter a PIN after the user gesture. On second UP gesture, the operation will succeed
I see similar behavior with #213895 (but that requires making a credential first)
Without (yet) reviewing code, my suspicion is that this might be a filtering operation where the user verification flag in authenticatorGetInfo is used. The `uv` flag is only meant to indicate the authenticator performs internal verification, such as via a biometric sensor or PIN entry pad.
David Waite
Looking into it more, I suspect that uv=true and no pin auth during discovery is the reason that the authenticator does not flash in the "PIN set" case.