Malicious sites could employ WebAuthN to bother users for requests to use biometrics infinitely. It would be nice to require user gestures to prevent such attacks.
<rdar://problem/43357293>
Authenticators must do TUP/UV before every operation. The only check you must do is when attestation returned and its set DIRECT, then you must obtain consent from the user to return it to the server. Biometrics authenticators block fingerprint after 5 tries per security requirements
https://w3c.github.io/webauthn/#user-verification
(In reply to Yuriy Ackermann (FIDO Alliance) from comment #2) > Authenticators must do TUP/UV before every operation. The only check you > must do is when attestation returned and its set DIRECT, then you must > obtain consent from the user to return it to the server. > > Biometrics authenticators block fingerprint after 5 tries per security > requirements Thanks for your comment. I didn't see that user consent is needed for "DIRECT" attestation in the https://www.w3.org/TR/webauthn/ as of Aug 7th 2018. I know FireFox does this.
Besides user gesture, we might want to consider: 2) focus, if the requesting page has focus, 3) or even background tab.
As far as I know Chrome/Firefox are blocking secure API's if page is out of focus: > https://w3c.github.io/webauthn/#abortoperation > The visibility and focus state of the Window object determines whether the [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operations should continue. When the Window object associated with the [Document loses focus, [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operations SHOULD be aborted. Again, this has issues for softAuthenticatos, like SoftU2F, which obviously changes a focus and so causes API to fail. So need careful consideration
Another attach scenario could also be solved by requiring user gesture: https://www.w3.org/TR/webauthn/#sec-make-credential-privacy.
UserGesture is hard to be required for cross-platform authenticators as RPs nowadays like Google would not expect that. Instead, it should be required for our platform authenticators only. Will have a separate bug to add the check whether the document has focus. This though can be required for all, which also aligns with Chromium.
Created attachment 398000 [details] Patch
Created attachment 398001 [details] Patch
Created attachment 398015 [details] Patch
Created attachment 398016 [details] Patch
Comment on attachment 398016 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=398016&action=review Looks good. r=me > Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:-1194 > - [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationLocalAuthenticatorExperimentalFeature()]; I assume these preferences are no longer needed, and this is just cleanup?
Comment on attachment 398016 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=398016&action=review Thanks Brent for the r+. >> Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:-1194 >> - [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationLocalAuthenticatorExperimentalFeature()]; > > I assume these preferences are no longer needed, and this is just cleanup? No, I change the mock testing implementation such that it will have the feature enabled by default. In real environment, it is still a default off experimental feature.
Tools/Scripts/svn-apply failed to apply attachment 398016 [details] to trunk. Please resolve the conflicts and upload a new patch.
Created attachment 398157 [details] Patch for landing
Committed r260983: <https://trac.webkit.org/changeset/260983> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398157 [details].