|Summary:||[WebAuthn] Don't set the UV option if the authenticator doesn't support it|
|Product:||WebKit||Reporter:||login Llama <loginllama>|
|Component:||WebKit Misc.||Assignee:||Jiewen Tan <jiewen_tan>|
|Severity:||Normal||CC:||bfulgham, darin, duwoka, jiewen_tan, navindra, webkit-bug-importer|
|Version:||Safari Technology Preview|
|Hardware:||iPhone / iPad|
|Bug Depends on:|
Description login Llama 2020-08-25 20:31:34 PDT
This is related to Bug 213934 For CTAP2.0 and CTAP2.1_Pre authenticators that don't support internal user verification sending the UV option will cause a CTAP2_ERR_UNSUPPORTED_OPTION. See authenticatorMakeCredential step 3 ( https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential ) and authenticatorGetAssertion Step 5. During Authenticator selection if clientPin is set in getInfo options, the platform is sending a dummy request to the authenticator to make the led blink to determine what authenticator to use. This works when the webAuthn request contains User Verification absent/Discouraged/preferred. However if User Verification required is sent by the RP the platform includes the uv=true option and that causes a CTAP2_ERR_UNSUPPORTED_OPTION error for CTAP2.0 authenticators that don't support internal UV. For Authenticators that do support internal UV it seems that some are performing internal UV (fingerprint etc) and not returning the expected error. I expect that the CTAP 2.0 authenticators with no internal UV are also going to have a further problem after authenticator selection if both a pinToken and uv option are sent to them. Bio Authenticators receiving both the uv option and pintoken may or may not work. My test CTAP2.1 authenticators that ignore the UV option work but as client pin authenticators ignoring the fingerprint, and other authenticators like the biopass I tested are not working. The first step would be to remove the uv option being sent with pintoken. That should never happen in CTAP 2.0. I hope that platforms MUST NOT do that is more clear in the CTAP2.1 spec. This should explain why the MS test page that sets user verification required won't work with a YK 5Ci but the same key will work just fine with a resident credential on a site with User Verification optional.
Comment 2 login Llama 2020-08-26 14:06:40 PDT
I retested with with iOS developer beta 6, and as expected the behavior is the same.
Comment 3 Jiewen Tan 2020-09-13 22:35:41 PDT
The spec suggests: "user verification: Instructs the authenticator to require a gesture that verifies the user to complete the request. Examples of such gestures are fingerprint scan or a PIN." The "PIN" mentioned there is confusing with ClientPIN. Should we fix this confusing text in CTAP 2.1 as well? @John, what do you think?
Comment 4 Jiewen Tan 2020-09-13 23:35:01 PDT
*** Bug 216180 has been marked as a duplicate of this bug. ***
Comment 5 Jiewen Tan 2020-09-13 23:36:06 PDT
*** Bug 214266 has been marked as a duplicate of this bug. ***
Comment 8 login Llama 2020-09-18 10:17:11 PDT
Each authentication requires a test of user presence. In some cases the user verification method also provides the test of user presence such as a fingerprint. The clientPIN is never considered a test of user presence. Now in CTAP2.1 with the pinUvAuthToken the explanation has been almost totally re-written. There is still some up caching text that Jeff is still working on so it is not totally merged. RD02 should be available shortly. Let me know if you think it is still confusing.
Comment 9 Jiewen Tan 2020-09-18 17:12:56 PDT
(In reply to login Llama from comment #8) > Each authentication requires a test of user presence. > > In some cases the user verification method also provides the test of user > presence such as a fingerprint. > > The clientPIN is never considered a test of user presence. > > Now in CTAP2.1 with the pinUvAuthToken the explanation has been almost > totally re-written. > > There is still some up caching text that Jeff is still working on so it is > not totally merged. > > RD02 should be available shortly. Let me know if you think it is still > confusing. Sure.
Comment 10 Darin Adler 2020-09-20 11:07:41 PDT
Comment on attachment 409111 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=409111&action=review > Source/WebCore/ChangeLog:14 > + If an authetnicator supports ClientPin, it can set the uv bit in the responses to true but it typo: authenticator
Comment 11 Jiewen Tan 2020-09-21 13:44:21 PDT
Comment on attachment 409111 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=409111&action=review Thanks Darin for r+ this patch. >> Source/WebCore/ChangeLog:14 >> + If an authetnicator supports ClientPin, it can set the uv bit in the responses to true but it > > typo: authenticator Fixed.