Bug 213894 - [WebAuthn] problem with uv = required for makeCredential
Summary: [WebAuthn] problem with uv = required for makeCredential
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Safari Technology Preview
Hardware: iPhone / iPad Other
: P2 Normal
Assignee: Nobody
Depends on:
Blocks: 181943
  Show dependency treegraph
Reported: 2020-07-02 12:04 PDT by login Llama
Modified: 2020-08-12 22:35 PDT (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description login Llama 2020-07-02 12:04:49 PDT
In iOS 14 developer beta
The authenticator has a pin set:

The Authenticator is attached over USB/Lightning.

If in WebAuthn uv is unset, set to discouraged or preferred registration works as expected the user is prompted for a pin and the credential is created.

If in WebAuthn uv is set to required, the user is prompted to insert and activate the security key.  After doing UP the dialogue is stuck until it times out.

Given that uv is always required to make a credential in CTAP2.0 this seems like a bug.
Comment 1 login Llama 2020-07-03 12:38:47 PDT
Doing some more testing I discovered that uv = required from the RP will work if the authenticator advertises support for internal uv in its getInfo.

There is not a one to one mapping between uv in webAuthn and the UV option in makeCredential.
Comment 2 Jiewen Tan 2020-07-28 00:59:56 PDT
I have tried a Yubico Blue Security Key with PIN set, same model with no PIN, and a Feitian BioPass on https://webauthntest.azurewebsites.net with UV = required, and cannot reproduce. Can you suggest a more detailed way of reproducing the issue?
Comment 3 David Waite 2020-08-12 15:46:37 PDT
Reproduced on webauthn.io, webauthn.me as well as our own service

Note: steps to reproduce are done on Safari Version 14.0 (16610. on Big Sur 20A5343i with a Yubikey 5ci (first production run)

Steps to reproduce:
1. Navigate to https://webauthn.me/debugger
2. Enable `authenticatorSelection`
3. Enable `requireResidentKey`
4. Enable `userVerification`
5. Set `userVerification` to `required`

If key has no PIN previously configured, the key will flash but the UP gesture will be ignored

If the key has a PIN configured, the key will not flash

If userVerification is set to `preferred`, the user will be asked to enter a PIN after the user gesture. On second UP gesture, the operation will succeed

I see similar behavior with #213895 (but that requires making a credential first)

Without (yet) reviewing code, my suspicion is that this might be a filtering operation where the user verification flag in authenticatorGetInfo is used. The `uv` flag is only meant to indicate the authenticator performs internal verification, such as via a biometric sensor or PIN entry pad.
Comment 4 David Waite 2020-08-12 22:35:48 PDT
Looking into it more, I suspect that uv=true and no pin auth during discovery is the reason that the authenticator does not flash in the "PIN set" case.