WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WORKSFORME
Bug 213894
[WebAuthn] problem with uv = required for makeCredential
https://bugs.webkit.org/show_bug.cgi?id=213894
Summary
[WebAuthn] problem with uv = required for makeCredential
login Llama
Reported
2020-07-02 12:04:49 PDT
In iOS 14 developer beta The authenticator has a pin set: The Authenticator is attached over USB/Lightning. If in WebAuthn uv is unset, set to discouraged or preferred registration works as expected the user is prompted for a pin and the credential is created. If in WebAuthn uv is set to required, the user is prompted to insert and activate the security key. After doing UP the dialogue is stuck until it times out. Given that uv is always required to make a credential in CTAP2.0 this seems like a bug.
Attachments
Add attachment
proposed patch, testcase, etc.
login Llama
Comment 1
2020-07-03 12:38:47 PDT
Doing some more testing I discovered that uv = required from the RP will work if the authenticator advertises support for internal uv in its getInfo. There is not a one to one mapping between uv in webAuthn and the UV option in makeCredential.
Jiewen Tan
Comment 2
2020-07-28 00:59:56 PDT
I have tried a Yubico Blue Security Key with PIN set, same model with no PIN, and a Feitian BioPass on
https://webauthntest.azurewebsites.net
with UV = required, and cannot reproduce. Can you suggest a more detailed way of reproducing the issue?
David Waite
Comment 3
2020-08-12 15:46:37 PDT
Reproduced on webauthn.io, webauthn.me as well as our own service Note: steps to reproduce are done on Safari Version 14.0 (16610.1.23.1.3) on Big Sur 20A5343i with a Yubikey 5ci (first production run) Steps to reproduce: 1. Navigate to
https://webauthn.me/debugger
2. Enable `authenticatorSelection` 3. Enable `requireResidentKey` 4. Enable `userVerification` 5. Set `userVerification` to `required` If key has no PIN previously configured, the key will flash but the UP gesture will be ignored If the key has a PIN configured, the key will not flash If userVerification is set to `preferred`, the user will be asked to enter a PIN after the user gesture. On second UP gesture, the operation will succeed I see similar behavior with #213895 (but that requires making a credential first) Without (yet) reviewing code, my suspicion is that this might be a filtering operation where the user verification flag in authenticatorGetInfo is used. The `uv` flag is only meant to indicate the authenticator performs internal verification, such as via a biometric sensor or PIN entry pad.
David Waite
Comment 4
2020-08-12 22:35:48 PDT
Looking into it more, I suspect that uv=true and no pin auth during discovery is the reason that the authenticator does not flash in the "PIN set" case.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug