Bug 213610 - [WebAuthn] Support device passcode as well as biometrics
Summary: [WebAuthn] Support device passcode as well as biometrics
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-06-25 10:33 PDT by Christiaan Brand
Modified: 2020-06-30 15:17 PDT (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christiaan Brand 2020-06-25 10:33:36 PDT
From the demo, it looks like WebAuthn "platform" support is restricted to biometrics. This is challenging from an accessibility standpoint as well as just in-general for user experience. Is it possible to add the ability to unlock keys using "anything the device can be unlocked with" here? This seems to be in-line with how WebAuthn platform authenticators are implemented elsewhere (Windows Hello, Android, etc). There doesn't seem to be a security benefit to doing it the way it's currently being done, unless all platform keys are blown away on biometric profile change, which I think will be unfortunate.
Comment 1 Radar WebKit Bug Importer 2020-06-25 18:01:22 PDT
<rdar://problem/64783399>
Comment 2 Jiewen Tan 2020-06-25 18:40:35 PDT
(In reply to Christiaan Brand from comment #0)
> From the demo, it looks like WebAuthn "platform" support is restricted to
> biometrics. This is challenging from an accessibility standpoint as well as
> just in-general for user experience. Is it possible to add the ability to
> unlock keys using "anything the device can be unlocked with" here? This
> seems to be in-line with how WebAuthn platform authenticators are
> implemented elsewhere (Windows Hello, Android, etc). There doesn't seem to
> be a security benefit to doing it the way it's currently being done, unless
> all platform keys are blown away on biometric profile change, which I think
> will be unfortunate.

The current implementation does allow fallback to passcode if Touch ID/Face ID fails multiple times in a row. It's an interesting point to offer it directly to users with some forms of accessibility features turned on.
Comment 3 eirbjo 2020-06-26 00:48:35 PDT
My two cents:

I would love to see the Apple Watch added to "anything the device can be unlocked with".

We have tried out Apple Watch unlock since it was enabled in Chrome 84 (now in beta), and we think it provides a great user experience. 

Touch ID works nicely with your hands actually on the Mac keyboard. With your Mac connected to an external monitor and keyboard, it may require more effort, either because the sensor falls out of reach from your position, or because the lid is closed.

Because the Apple Watch is always on your hand, it provides a very close, connected and intuitive user experience. Also works great in demos :-)