266807 – [Webauthn] makeCred with UV=discouraged will have additional authenticator selection action and defaulting to clientPin still

NEW 266807

[Webauthn] makeCred with UV=discouraged will have additional authenticator selection action and defaulting to clientPin still

https://bugs.webkit.org/show_bug.cgi?id=266807

Summary [Webauthn] makeCred with UV=discouraged will have additional authenticator se...

nuno.sung

Reported 2023-12-22 00:15:13 PST

[Environment] - macOS: 12.7/14.2 - Browser: Safari 17.2 - Security key: Yubikey Bio, with clientPin and fingerprint provisioned already. [Steps] - Test make() in https://webauthntest.identitystandards.io with "User Verification=discouraged", others leave in `undifined` is okay. [Issues] 1. User needs to touch the Yubikey as authenticator selection, but with other ""User Verification" values, all have no this behavior. - it should be due to this line, https://github.com/WebKit/WebKit/commit/6abf9728aa39e1729ff9da1dc35773398d68020d#diff-d2f6aadaece174d3e1b70540f21f75e2b85dc0a0d53cf3dedee1c807744c51d2R99 - I think it's okay if the intension is to let user can select which no UV provisioned Security Key is okay. 2. After touching on the Yubikey, the PIN prompt will be popped up to ask for PIN, this will be the resolved issue of https://bugs.webkit.org/show_bug.cgi?id=213903 that only happen under "User Verification=discouraged" still.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-12-29 00:16:12 PST

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 17

Hardware Unspecified

OS macOS 14

Product WebKit

Component WebKit Misc.

Assignee

Nobody

Reported

2023-12-22 00:15 PST

Modified

2023-12-29 00:16 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks