<rdar://problem/43357293>

Authenticators must do TUP/UV before every operation. The only check you must do is when attestation returned and its set DIRECT, then you must obtain consent from the user to return it to the server. Biometrics authenticators block fingerprint after 5 tries per security requirements

(In reply to Yuriy Ackermann (FIDO Alliance) from comment #2) > Authenticators must do TUP/UV before every operation. The only check you > must do is when attestation returned and its set DIRECT, then you must > obtain consent from the user to return it to the server. > > Biometrics authenticators block fingerprint after 5 tries per security > requirements Thanks for your comment. I didn't see that user consent is needed for "DIRECT" attestation in the https://www.w3.org/TR/webauthn/ as of Aug 7th 2018. I know FireFox does this.

Besides user gesture, we might want to consider: 2) focus, if the requesting page has focus, 3) or even background tab.

As far as I know Chrome/Firefox are blocking secure API's if page is out of focus: > https://w3c.github.io/webauthn/#abortoperation > The visibility and focus state of the Window object determines whether the [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operations should continue. When the Window object associated with the [Document loses focus, [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operations SHOULD be aborted. Again, this has issues for softAuthenticatos, like SoftU2F, which obviously changes a focus and so causes API to fail. So need careful consideration

Another attach scenario could also be solved by requiring user gesture: https://www.w3.org/TR/webauthn/#sec-make-credential-privacy.

UserGesture is hard to be required for cross-platform authenticators as RPs nowadays like Google would not expect that. Instead, it should be required for our platform authenticators only. Will have a separate bug to add the check whether the document has focus. This though can be required for all, which also aligns with Chromium.

Created attachment 398000 [details] Patch

Created attachment 398001 [details] Patch

Created attachment 398015 [details] Patch

Created attachment 398016 [details] Patch

Comment on attachment 398016 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=398016&action=review Looks good. r=me > Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:-1194 > - [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationLocalAuthenticatorExperimentalFeature()]; I assume these preferences are no longer needed, and this is just cleanup?

Comment on attachment 398016 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=398016&action=review Thanks Brent for the r+. >> Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:-1194 >> - [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationLocalAuthenticatorExperimentalFeature()]; > > I assume these preferences are no longer needed, and this is just cleanup? No, I change the mock testing implementation such that it will have the feature enabled by default. In real environment, it is still a default off experimental feature.

Tools/Scripts/svn-apply failed to apply attachment 398016 [details] to trunk. Please resolve the conflicts and upload a new patch.

Created attachment 398157 [details] Patch for landing

Committed r260983: <https://trac.webkit.org/changeset/260983> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398157 [details].