Bug 213895

Summary: [WebAuthn] problem with uv = required for getAssertion
Product: WebKit Reporter: login Llama <loginllama>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: jiewen_tan, loginllama
Priority: P2    
Version: Safari Technology Preview   
Hardware: iPhone / iPad   
OS: Other   
Bug Depends on:    
Bug Blocks: 181943    

Description login Llama 2020-07-02 12:26:54 PDT 
In iOS 14 developer beta
The authenticator has a pin set:

The Authenticator is attached over USB/Lightning.

If in WebAuthn uv is unset, or set to preferred authentication works as expected the user is prompted for a pin and the credential is asserted with uv=1 in authenticator data.
If in WebAuthn uv is set to discouraged authentication works as expected the user is not prompted for a pin and the credential is asserted with uv=0 in authenticator data.

If in WebAuthn uv is set to required, the user is prompted to insert and activate the security key.  After doing UP the dialogue is stuck until it times out.

NFC attachment seems to have the same issue. 

Strange preferred works but not required.
Comment 1 login Llama 2020-07-03 12:39:29 PDT 
Doing some more testing I discovered that uv = required from the RP will work if the authenticator advertises support for internal uv in its getInfo.

There is not a one to one mapping between uv in webAuthn and the UV option in getAssertion.
Comment 2 Jiewen Tan 2020-07-28 01:02:05 PDT 
I have tried a Yubico Blue Security Key with PIN set, same model with no PIN, and a Feitian BioPass on https://webauthntest.azurewebsites.net with UV = required, and cannot reproduce. Can you suggest a more detailed way of reproducing the issue?