Fix #644: Add UV parameter to getAssertion #672
Conversation
…r standalone It's just confusing to send the whole `AuthenticatorSelectionCriteria` structure but ignore of forbid 2 of the 3 members. If those additional parameters should be added in the future, that will probably be a breaking change anyway.
emlun
requested review from
equalsJeffH,
balfanz,
jcjones,
leshi,
AngeloKai and
akshayku
|
@Kieun may have something to say about how this affects UAF. |
|
I would also like to rename the |
|
This modification indeed affects UAF. But I'm not sure that how many number of UAF silent authenticators are deployed in the market. I would also think that at least user presence is needed during authentication in web space for privacy reason. |
|
By "native application", do you mean platform authenticators (i.e. TPMs integrated in laptops/phones)? There was an exception for them, but it was in |
|
I just mean that "native application" is a platform specific RP application such as Android or iOS app that can leverage FIDO silent authenticators for automated login use case. |
|
Ok. That sounds like it falls outside the scope of the WebAuthn spec. |
|
thanks @emlun -- this now looks nominally OK to me, but I think it really needs explicit buy-in from Chrome, FF, and @rlin1: in that my understanding of the nominal agreement had been that the default interaction case would be 2nd factor -- this seems to be changing it to 1st factor. this is fine by me, however we ought to explcitly get buy-in from other working group participants on it. thx, HTH. |
|
@equalsJeffH Thanks! Hm, I did not intend to change the default interaction case. What parts of the changes are suggesting that? |
| @@ -1383,7 +1407,7 @@ attributes. | |||
| dictionary AuthenticatorSelectionCriteria { | |||
| AuthenticatorAttachment authenticatorAttachment; | |||
| boolean requireResidentKey = false; | |||
| boolean requireUserVerification = false; | |||
| UserVerificationRequirement requireUserVerification = "preferred"; | |||
There was a problem hiding this comment.
Don't have a strong opinion on the default value - as longh as the RP can override it (which is the case IMHO).
| @@ -1538,6 +1591,7 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member must be | |||
| unsigned long timeout; | |||
| USVString rpId; | |||
| sequence<PublicKeyCredentialDescriptor> allowCredentials = []; | |||
| UserVerificationRequirement userVerification = "preferred"; | |||
There was a problem hiding this comment.
Don't have a strong opinion on the default value - as longh as the RP can override it (which is the case IMHO).
index.bs
Outdated
| @@ -1560,7 +1618,12 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member must be | |||
| :: This optional member contains a list of {{PublicKeyCredentialDescriptor}} object representing [=public key credentials=] | |||
index.bs
Outdated
| by the | ||
| [=authenticator=] if it has its own output capability, or by the user agent otherwise. | ||
|
|
||
| 1. Obtain [=user consent=] for using |selectedCredential|. The prompt for obtaining this [=user consent|consent=] may be shown by |
There was a problem hiding this comment.
We SHOULD NOT require additional user consent gathering by the platform for using an authenticator that is already registered!
index.bs
Outdated
| 1. If |allowCredentialDescriptorList| is now empty, return an error code equivalent to "{{NotAllowedError}}" and terminate the | ||
| operation. | ||
|
|
||
| 1. Prompt the user to select a [=public key credential|credential=] |selectedCredential| from |allowCredentialDescriptorList|. |
There was a problem hiding this comment.
this is only required if the list has more than 1 entry.
There was a problem hiding this comment.
so we should say: If the |allowCredentialDescriptorList| contains multiple entries, then ...
index.bs
Outdated
| by the | ||
| [=authenticator=] if it has its own output capability, or by the user agent otherwise. | ||
|
|
||
| 1. Obtain [=user consent=] for using |selectedCredential|. The prompt for obtaining this [=user consent|consent=] may be shown by |
There was a problem hiding this comment.
We SHOULD be clear that user verification, e.g. a fingerprint swipe IS a method for obtaining user consent - we don't want additional dialog boxes!
|
@emlun said:
I think using I added a comment where I was pinged (https://github.com/w3c/webauthn/pull/672/files#r151271242). I won't oppose the will of the working group if there's consensus on this, but my preference would be to have this default to |
|
@emlun: It looks to me like there's broad agreement on that. I don't see anything problematic with this change otherwise, and I think if you swap those defaults then this should be free to merge (after we get confirmation from the other 3 reviewers) |
|
Oops, I spoke too soon. I missed the embedded threads. Disregard. Still, I think adjusting that default would help. But the points about presence vs. user verification are better articulated by Rolf, Akshay, Jeff, et. al than I can do. |
|
@jcjones : What is the common case in your opinion? Does not it maps to RP supporting all kind of authenticators?? and Isn't that the direction we should be going to? |
|
|
|
No. In |
|
@akshayku Ok. I guess you and I use "support" to mean different things - neither the client nor the RP will refuse authenticators with UV in the Anyway, with that it looks like consensus is possible for |
|
I don't really care that much. As long as we can override it. |
|
@emlun : I think we have an agreement for |
|
Great! I'll go ahead and merge if noone objects by Monday morning CET. |
|
@jcjones @balfanz @AngeloKai Please review asap so try to get closure before meeting this week |
|
@nadalin -- this was merged 7.5 hr before your comment above :) |
This resolves #644, and possibly #524 and #645.
Summary:
The definition of "user present" now states that if the user is "verified" they are also "present". Background: credentials.get() should have optional parameters for userVerification and userPresence #629Reverted after reviewA UV parameter has been added to
PublicKeyCredentialRequestOptions.A Boolean UV parameter is now passed to
authenticatorGetAssertion().The type of the UV parameter of the client operations has changed from Boolean to
UserVerificationRequirement.UserVerificationRequirementhas been added, with valuesrequired,wantedpreferredandnot-wanteddiscouraged.requireUserVerificationofAuthenticatorSelectionCriteriahas changed from Boolean toUserVerificationRequirement.requireUserVerificationof typeUserVerificationRequirementhas been added toPublicKeyCredentialRequestOptions.Authenticator operations are now specified to always require UP or UV.This was already stated in prose in §5.1.4 Use an existing credential to make an assertion, but not in the algorithms:Silent authenticator operations has also raised objections (credentials.get() should have optional parameters for userVerification and userPresence #629, #getAssertion alg needs to pass authenticator selection requirements to authenticatorGetAssertion operation #644), so we should state this requirement clearly until it's decided to support silent operations. This probably breaks compatibility with UAF Silent Authenticators (see WebAuthn available to Workers? aka "silent authentication" #199 (comment)).
EDIT: This logic has moved to the client level instead.
authenticatorMakeCredentialnow always uses UV if the authenticator supports it. IfrequireUserVerificationistruethe client will only send the command to capable authenticators.Authenticator operations' UP/UV behaviour has been aligned to agree with CTAP2.
authenticatorMakeCredential()andauthenticatorGetAssertion(). The client always sets this to the inverse of the UV parameter.CTAP compatibility should not be affected by any of the above. If it is, that's a bug.
Preview | Diff