Skip to content
This repository has been archived by the owner on Nov 7, 2023. It is now read-only.

Problems with WebAuthn and Chrome #27

Open
mdp opened this issue Apr 29, 2019 · 5 comments
Open

Problems with WebAuthn and Chrome #27

mdp opened this issue Apr 29, 2019 · 5 comments

Comments

@mdp
Copy link

mdp commented Apr 29, 2019

There seems to be some funkiness around WebAuthn. Currently, I'm testing against https://webauthn.io

Registration:
Registration succeeds, but the browser provided pop-up never goes away. On the client side javascript, the registration callback is successfully being called.

Authentication/Login:
The Login prompt automatically assumes TPM mode, but maybe that's because I've previously authenticated with it. In this case, it seems to be impossible to revert back to cross-platform/USB key mode.

Details:
Extension Version: 1.0.17
Chrome Version: 73.0.3683.103 (64-bit OSX)
Website: https://webauthn.io

@agrinman
Copy link
Contributor

@mdp thanks for the bug report. I can confirm the popup doesn't close in some cases. I think the login behavior is because you've already registered with Krypton...it might be the case that if you register multiple times it saves both keys on the pseudo account. Maybe try changing the user name?

@mdp
Copy link
Author

mdp commented Apr 29, 2019

Yep, you were right. Changing the username fixes the login issue. Is there any way to "clear" the accounts?

@agrinman
Copy link
Contributor

Maybe clear the session cookies?

@mdp
Copy link
Author

mdp commented Apr 29, 2019

Thanks, Alex. The login seems like a minor issue with the UI on Chrome. There might not even be an easy way to fix it since it's probably more on Chrome's end.

Here's the issue/how to reproduce it:

  1. I register with a new identity, say foo@mdp.im, using TPM (in my case, a fingerprint reader), and then register using Krypton/CrossPlatform.
  2. Now WebAuthn.io has two public keys for me at foo@mdp.im. At this point, I "Login", and they pass back 2 "Allowed Credentials", one of which is known by Chrome to be tied to TPM.
  3. Chrome pops up the TPM Auth, while Krypton on my phone asks if I want to Login to Webauthn.io. Saying yes on Krypton has no effect on the popup nor logging in.

The workaround:
On the last step, before approving the Krypton request, click the "Choose another option" and select "Verify via USB". THEN approve the existing request on the Krypton app.

@viggy96
Copy link

viggy96 commented Aug 20, 2019

I think this is the same issue that occurs for Google sites, where Chrome's own dialog does not close when the Krypton request is approved. The underlying website processes the request properly, and logs in, but Chrome's dialog does not recognise that the 2 factor transaction has already completed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants