Comments (7)
This should be addressed by https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Report-API-explainer
I'd also add that the RP should be using the same user handle which will prevent multiple credentials for the same account in the same authenticator.
from webauthn.
Oh good point about making sure the same userHandle
is reused! I implemented a user registration page rather naively. I guess it would make sense to write some more guidance for RPs here.
This is what I implemented:
- I have a registration page where people can register an account by creating a passkey
- On page load of
/register
I generated a freshuserHandle
andchallenge
. People then register by picking auserName
and creating a passkey. - If then due to networking conditions this step fails the user tries again. they refresh the page. Which causes a new
userHandle
andchallenge
to be allocated. - now the user has two passkeys in their keychain, with different
userHandle
's but sameuserName
s. Only one of them work.
I guess I should fix this as an RP by:
- On the register page generate a
userHandle
just once and save it in the session cookie. - If person aborts the registration (e.g. due to networking errors) and reloads the page they use the same
userHandle
- If I understand correctly the new passkey then overrides the old passkey in the UI (Due to having the same
userHandle
?)
from webauthn.
Authenticators and clients are expected to be spec compliant. There is only so much that can be done at a spec level.
Please ask these authenticator-specific questions via a developer/deployment channel (FIDO-DEV, Passkeys Developer, etc).
from webauthn.
If I understand correctly the new passkey then overrides the old passkey in the UI (Due to having the same userHandle ?)
Yes, that's correct
from webauthn.
Related to this problem -- at least Safari seems to completely ignore excludeCredentials
. This means users of our RP end up with multiple iCloud passkeys in their account and there is nothing stopping them from registering with the same authenticator multiple times. They then don't know which one is the "Active" passkey and when they delete the wrong one they get locked out of their account forever. As Safari will delete the old passkey as soon as you register the new one.
Edit: Issue is tracked here: https://bugs.webkit.org/show_bug.cgi?id=270553
from webauthn.
How can I protect myself against a misbehaving authenticator that ignores excludeCredentials
like Safari?
Now the following scenario can happen which is even worse than the original issue. Namely account lockout for existing accounts:
- Register passkey
- Log in
- Click register passkey button again. Safari overrides the passkey in your keychain in-place.
- Network is lost and the response from
navigator.credentials.create()
doesn't arrive at the RP - You're now completely locked out of your account as the first Passkey doesn't work anymore as it's not in your keychain anymore
from webauthn.
To make a concrete proposal to The spec:
The spec currently reads
excludeCredentialDescriptorList
An OPTIONAL list of PublicKeyCredentialDescriptor objects provided by the Relying Party with the intention that, if any of these are known to the authenticator, it SHOULD NOT create a new credential. excludeCredentialDescriptorList contains a list of known credentials.
Which gives the impression that implementing excludeCredentials is optional for authenticators. But I'd say it should be mandatory for client side discoverable credentials.
Given that this overrides discoverable credentials that can lead to user lockout I think we should change the wording to SHALL NOT or MUST NOT.
We should also make it clear that calling create without excludeCredentials can lead to lockout. Calling this an OPTIONAL list is maybe a bit too weak too?
I think both the sections for RPs and for Authenticators could use a bit more guidance on this
from webauthn.
Related Issues (20)
- Show only passkey based autofill HOT 7
- Editorial convention: Semantic line breaks HOT 3
- The standard is very web-centric, can be a bit confusing for app-only users HOT 5
- 7.2. Verifying an Authentication Assertion is missing steps 7 and 8 HOT 1
- Deprecate AuthenticatorAttachment in favor of PublicKeyCredentialHints. HOT 16
- Clarification on CBOR-encoding of COSE keys HOT 4
- Clarification on UVM extension HOT 1
- CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values
- excludeCredentials on Get
- Additional guidance/clarification on RP ID and origin validation
- Make AuthenticatorAttestationResponseJSON.clientDataJSON a DOMString or USVString HOT 4
- Return more nuanced error codes HOT 11
- Authenticator data flags reserved bits must be 0 or the figures would ideally be changed HOT 5
- ยง6.1. Steps to generate authenticator data should include BE and BS flags HOT 3
- Make AuthenticatorAttestationResponseJSON.publicKeyAlgorithm a long HOT 2
- Make PublicKeyCredentialRequestOptions.rpId a DOMString HOT 3
- Provide a mechanism to indicate backend registration success or failure HOT 8
- Empty strings are not valid RFC 8266 Nicknames HOT 2
- Remove the UVM extension from WebAuthn L3 (potentially) HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.