205222 – [WebAuthn] Make credential fails if a pin is set on the authenticator

Bug 205222 - [WebAuthn] Make credential fails if a pin is set on the authenticator

Summary: [WebAuthn] Make credential fails if a pin is set on the authenticator

Status:	RESOLVED DUPLICATE of bug 191516

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-12-13 15:58 PST by login Llama
Modified:	2020-01-06 08:48 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description login Llama 2019-12-13 15:58:18 PST

This impacts iOS and OSX stable and tech preview.

There are at least two bugs involved in this.

Credentials can be made on Authenticators that support Fido_2_1_Pre.
Unfortunately I think that is a side efect of Bug 198408 not having landed.
It could also be some other issue parsing GetInfo.
It looks like on those keys GetInfo parsing fails and Safari falls back to using U2F/CTAP1 to talk to the authenticator.
That is allowing the Make Credential to work. Note that with these keys CTAP1 is always used by Safari to make the credential pin set or not.

Older keys with just the two elements (["U2F_V2", "FIDO_2_0"]) seem to parse GetInfo and start CTAP2.
The authenticator will respond with CTAP2_ERR_PIN_REQUIRED if a pin is set on the device and you don't send a valid pinToken.
It seems that Safari hangs and times out at that point.

The best thing to do is implement client PIN.
Given that may take longer you should do what Chrome used to and look at "clientPin" in authenticatorGetInfo (0x04) and if that is set to true you should use U2F/CTAP1 to make the credential to avoid needing a PIN.

I will note that it was probably a mistake to require PIN to make non resident credentials in CTAP 2_0 however we have a bunch of authenticators that require it. Firefox avoids the issue by only speaking CTAP1 to keys.
The CTAP 2.1 spec is being changed to allow making non resident credentials without a pin entry, but we aren't going to see any of those authenticators for some time, as they wouldn't pass the current CTAP2.0 certification.

There may also be an issue with sending the UV option to authenticators that support only clientPin. That may related to a problem parsing GetInfo or some other logic. Some authenticators violate the spec and don't throw an error.
If Bug 198408 is sorted out it will be easier to tell what is happening.

Thanks for releasing WebAuthn on iOS. It is working fine for U2F authenticators but once large numbers of people get there hands on this other bugs we didn't notice surface. It shows the interest that people started trying it right away.

Comment 1 Radar WebKit Bug Importer 2019-12-16 11:32:25 PST

<rdar://problem/57978904>

Comment 2 login Llama 2020-01-03 12:12:43 PST

bug (198408) has landed.  

That is progress but now basically all CTAP2 authenticators without built in UV are broken for makeing and getting credentials due to bug 204111.

Getting 204111 fixed should be the priority to get the get assertion command work and the make credential on authenticators without pin set. 

Then you can implement clientpin or do the U2F workaround.

Comment 3 Jiewen Tan 2020-01-06 08:47:58 PST

Thanks for reporting this bug. I think this should be a duplicate of Bug 191516.

Comment 4 Jiewen Tan 2020-01-06 08:48:06 PST


*** This bug has been marked as a duplicate of bug 191516 ***