Bug 215836

Summary: [WebAuthn] Don't set the UV option if the authenticator doesn't support it
Product: WebKit Reporter: login Llama <loginllama>
Component: WebKit Misc.Assignee: Jiewen Tan <jiewen_tan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, darin, duwoka, jiewen_tan, navindra, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: iPhone / iPad   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 181943    
Attachments:
Description Flags
Patch
none
Patch
darin: review+
Patch for landing none

Description login Llama 2020-08-25 20:31:34 PDT 
This is related to Bug 213934

For CTAP2.0 and CTAP2.1_Pre authenticators that don't support internal user verification sending the UV option will cause a CTAP2_ERR_UNSUPPORTED_OPTION.

See authenticatorMakeCredential step 3 ( https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential ) and authenticatorGetAssertion Step 5.

During Authenticator selection if clientPin is set in getInfo options, the platform is sending a dummy request to the authenticator to make the led blink to determine what authenticator to use. 

This works when the webAuthn request contains User Verification absent/Discouraged/preferred.  However if User Verification required is sent by the RP the platform includes the uv=true option and that causes a CTAP2_ERR_UNSUPPORTED_OPTION error for CTAP2.0 authenticators that don't support internal UV. 

For Authenticators that do support internal UV it seems that some are performing internal UV (fingerprint etc) and not returning the expected error.

I expect that the CTAP 2.0 authenticators with no internal UV are also going to have a further problem after authenticator selection if both a pinToken and uv option are sent to them.

Bio Authenticators receiving both the uv option and pintoken may or may not work.  My test CTAP2.1 authenticators that ignore the UV option work but as client pin authenticators ignoring the fingerprint, and other authenticators like the biopass I tested are not working.

The first step would be to remove the uv option being sent with pintoken.  That should never happen in CTAP 2.0.  I hope that platforms MUST NOT do that is more clear in the CTAP2.1 spec.

This should explain why the MS test page that sets user verification required won't work with a YK 5Ci  but the same key will work just fine with a resident credential on a site with User Verification optional.
Comment 1 Radar WebKit Bug Importer 2020-08-26 11:20:55 PDT 
<rdar://problem/67817359>
Comment 2 login Llama 2020-08-26 14:06:40 PDT 
I retested with with iOS developer beta 6, and as expected the behavior is the same.
Comment 3 Jiewen Tan 2020-09-13 22:35:41 PDT 
The spec suggests:
"user verification: Instructs the authenticator to require a gesture that verifies the user to complete the request. Examples of such gestures are fingerprint scan or a PIN."

The "PIN" mentioned there is confusing with ClientPIN.

Should we fix this confusing text in CTAP 2.1 as well? @John, what do you think?
Comment 4 Jiewen Tan 2020-09-13 23:35:01 PDT 
*** Bug 216180 has been marked as a duplicate of this bug. ***
Comment 5 Jiewen Tan 2020-09-13 23:36:06 PDT 
*** Bug 214266 has been marked as a duplicate of this bug. ***
Comment 6 Jiewen Tan 2020-09-13 23:48:53 PDT 
Created attachment 408682 [details]
Patch
Comment 7 Jiewen Tan 2020-09-18 00:47:09 PDT 
Created attachment 409111 [details]
Patch
Comment 8 login Llama 2020-09-18 10:17:11 PDT 
Each authentication requires a test of user presence.

In some cases the user verification method also provides the test of user presence such as a fingerprint.  

The clientPIN is never considered a test of user presence. 

Now in CTAP2.1 with the pinUvAuthToken the explanation has been almost totally re-written. 

There is still some up caching text that Jeff is still working on so it is not totally merged.

RD02 should be available shortly.   Let me know if you think it is still confusing.
Comment 9 Jiewen Tan 2020-09-18 17:12:56 PDT 
(In reply to login Llama from comment #8)
> Each authentication requires a test of user presence.
> 
> In some cases the user verification method also provides the test of user
> presence such as a fingerprint.  
> 
> The clientPIN is never considered a test of user presence. 
> 
> Now in CTAP2.1 with the pinUvAuthToken the explanation has been almost
> totally re-written. 
> 
> There is still some up caching text that Jeff is still working on so it is
> not totally merged.
> 
> RD02 should be available shortly.   Let me know if you think it is still
> confusing.

Sure.
Comment 10 Darin Adler 2020-09-20 11:07:41 PDT 
Comment on attachment 409111 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=409111&action=review

> Source/WebCore/ChangeLog:14
> +        If an authetnicator supports ClientPin, it can set the uv bit in the responses to true but it

typo: authenticator
Comment 11 Jiewen Tan 2020-09-21 13:44:21 PDT 
Comment on attachment 409111 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=409111&action=review

Thanks Darin for r+ this patch.

>> Source/WebCore/ChangeLog:14
>> +        If an authetnicator supports ClientPin, it can set the uv bit in the responses to true but it
> 
> typo: authenticator

Fixed.
Comment 12 Jiewen Tan 2020-09-21 13:46:07 PDT 
Created attachment 409315 [details]
Patch for landing
Comment 13 EWS 2020-09-21 14:32:26 PDT 
Committed r267369: <https://trac.webkit.org/changeset/267369>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 409315 [details].