search

MasterKale / SimpleWebAuthn

WebAuthn, Simplified. A collection of TypeScript-first libraries for simpler WebAuthn integration. Supports modern browsers, Node, Deno, and more.
https://simplewebauthn.dev
MIT License
1.62k stars 137 forks source link

Wrong authenticatorAttachment after browser->startRegistration() with YubiKey #585

Closed kareha closed 4 months ago

kareha commented 5 months ago

Describe the issue

The result after a successful startRegistration() with a usb security key (Yubi key) is not correct.

authenticatorAttachment in this case is "platform" and I expect it to be "cross-platform"

response.transports includes "usb" (as the only value here)

Reproduction Steps

  1. Register a new Security Key
  2. See result. authenticatorAttachment

Expected behavior

authenticatorAttachment suppose to be "cross-platform"

Code Samples + WebAuthn Options and Responses

See docs

Dependencies

SimpleWebAuthn Libraries

├── @simplewebauthn/browser@10.0.0 ├── @simplewebauthn/server@10.0.0

Additional context

-

MasterKale commented 4 months ago

Hello @kareha, thanks for bringing this to my attention. Based on a bit of experimentation, though, I'm convinced that this is an issue with Safari's handling of security key registration. Registering the exact same security in the exact same way using @simplewebauthn/browser's startRegistration() via https://webauthn.io yields "authenticatorAttachment": "platform" in Safari, but "authenticatorAttachment": "cross-platform" in Chrome:

Screenshot 2024-07-15 at 9 33 25 PM

startRegistration() is simply passing back what is returned from the call to WebAuthn's .create() method. Put another way, my library doesn't manipulate this value in any way so it's not the culprit.

I'm going to close this out because there's nothing for me to fix in SimpleWebAuthn. If you don't beat me to it the best I can do for you here is to say that I'll aim to report this as a bug in the WebKit bug tracker.