WebAuthn credential creation fails on devices where the highest supported CTAP version is FIDO_2_0 and no PIN is set on the device.
Categories
(Core :: DOM: Web Authentication, defect, P2)
Tracking
()
People
(Reporter: will.smart, Assigned: jschanck)
References
Details
Steps to reproduce:
Go to a WebAuthn test site, like webauthn.io, and configure it to discourage User Verification (https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=all&algES256=true&algRS256=true&discoverableCredential=discouraged&authUserVerification=preferred)
Set a username and click "register"
When prompted, use a security key which supports FIDO_2_0, but not FIDO_2_1_Pre, and has not PIN set.
This occurs on MacOS on the latest Nightly (117)
It does not occur when security.webauthn.ctap2 is set to false
It appears to be related to https://github.com/mozilla/authenticator-rs/issues/283
While this does not affect currently available YubiKeys, it affects old versions (5.0.x and 5.1.x), as well as a number of FIDO2 keys that are currently available for purchase on Amazon.
Actual results:
An error: "User verification failed on webauthn.io. You may need to set a PIN on your device"
Expected results:
The webauthn makecredential should succeed and create a credential without user verification, as the relying party requested with uv=discouraged.
Reporter | ||
Updated•9 months ago
|
Comment 1•9 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Assignee | ||
Updated•9 months ago
|
Updated•9 months ago
|
Are there also plans to fix this for when user verification is "encouraged"?
As a user, not being able to proceed unless I on the spot compose and memorize a PIN, which AFAIK my key would then permanently require for all sites, doesn't really meet the definition of being "encouraged" to do something. I would describe that as user verification being "required". If something is "encouraged" I have the option to proceed without it.
Updated•9 months ago
|
Comment 5•9 months ago
|
||
Registration should succeed with no PIN even when the relying party specifies userVerification = Preferred.
Reporter | ||
Comment 6•9 months ago
|
||
@aws-identity-bugzilla - That's correct, and the referenced pull request for authenticator-rs should make that possible for any security keys that report FIDO_2_0 as the highest version they support.
Assignee | ||
Comment 7•9 months ago
|
||
The upstream patch landed in Firefox in Bug 1848172.
Updated•8 months ago
|
Reporter | ||
Comment 8•8 months ago
|
||
Confirmed this works as expected now in the 118 beta. Thanks!
Description
•