This is related to Bug 213934 For CTAP2.0 and CTAP2.1_Pre authenticators that don't support internal user verification sending the UV option will cause a CTAP2_ERR_UNSUPPORTED_OPTION. See authenticatorMakeCredential step 3 ( https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential ) and authenticatorGetAssertion Step 5. During Authenticator selection if clientPin is set in getInfo options, the platform is sending a dummy request to the authenticator to make the led blink to determine what authenticator to use. This works when the webAuthn request contains User Verification absent/Discouraged/preferred. However if User Verification required is sent by the RP the platform includes the uv=true option and that causes a CTAP2_ERR_UNSUPPORTED_OPTION error for CTAP2.0 authenticators that don't support internal UV. For Authenticators that do support internal UV it seems that some are performing internal UV (fingerprint etc) and not returning the expected error. I expect that the CTAP 2.0 authenticators with no internal UV are also going to have a further problem after authenticator selection if both a pinToken and uv option are sent to them. Bio Authenticators receiving both the uv option and pintoken may or may not work. My test CTAP2.1 authenticators that ignore the UV option work but as client pin authenticators ignoring the fingerprint, and other authenticators like the biopass I tested are not working. The first step would be to remove the uv option being sent with pintoken. That should never happen in CTAP 2.0. I hope that platforms MUST NOT do that is more clear in the CTAP2.1 spec. This should explain why the MS test page that sets user verification required won't work with a YK 5Ci but the same key will work just fine with a resident credential on a site with User Verification optional.
<rdar://problem/67817359>
I retested with with iOS developer beta 6, and as expected the behavior is the same.
The spec suggests: "user verification: Instructs the authenticator to require a gesture that verifies the user to complete the request. Examples of such gestures are fingerprint scan or a PIN." The "PIN" mentioned there is confusing with ClientPIN. Should we fix this confusing text in CTAP 2.1 as well? @John, what do you think?
*** Bug 216180 has been marked as a duplicate of this bug. ***
*** Bug 214266 has been marked as a duplicate of this bug. ***
Created attachment 408682 [details] Patch
Created attachment 409111 [details] Patch
Each authentication requires a test of user presence. In some cases the user verification method also provides the test of user presence such as a fingerprint. The clientPIN is never considered a test of user presence. Now in CTAP2.1 with the pinUvAuthToken the explanation has been almost totally re-written. There is still some up caching text that Jeff is still working on so it is not totally merged. RD02 should be available shortly. Let me know if you think it is still confusing.
(In reply to login Llama from comment #8) > Each authentication requires a test of user presence. > > In some cases the user verification method also provides the test of user > presence such as a fingerprint. > > The clientPIN is never considered a test of user presence. > > Now in CTAP2.1 with the pinUvAuthToken the explanation has been almost > totally re-written. > > There is still some up caching text that Jeff is still working on so it is > not totally merged. > > RD02 should be available shortly. Let me know if you think it is still > confusing. Sure.
Comment on attachment 409111 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=409111&action=review > Source/WebCore/ChangeLog:14 > + If an authetnicator supports ClientPin, it can set the uv bit in the responses to true but it typo: authenticator
Comment on attachment 409111 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=409111&action=review Thanks Darin for r+ this patch. >> Source/WebCore/ChangeLog:14 >> + If an authetnicator supports ClientPin, it can set the uv bit in the responses to true but it > > typo: authenticator Fixed.
Created attachment 409315 [details] Patch for landing
Committed r267369: <https://trac.webkit.org/changeset/267369> All reviewed patches have been landed. Closing bug and clearing flags on attachment 409315 [details].