Missing documentation of an option needed to avoid a vulnerability allowing Passwordless to be bypassed if a developer doesn't double-check it on the server-side #350
Android 7+ (possibly other phone OS too ?) currently don't have a properly configured NFC system for Yubikeys when it comes to Passwordless login.
Their authentication system (as well as the above articles Browser-based exploit code) allows the browser-side authenticator to ignore the requirement of User Verification and send in a challenge that is recognized as valid, thus allowing a user to log in using just Username + NFC yubikey, without checking the UV at all.
You've already got one test in your test suite that has the proper code, so it is supported already:
Just need a mention in this piece of documentation that if using a key as Passwordless the "user_verification: true" needs to be in the .verify() code or it won't properly check it's a valid Passwordless (User Presence + User Verification) login, and an exploit can bypass it.
As laid out in this article from August 2020:
https://hwsecurity.dev/2020/08/webauthn-pin-bypass/
Android 7+ (possibly other phone OS too ?) currently don't have a properly configured NFC system for Yubikeys when it comes to Passwordless login.
Their authentication system (as well as the above articles Browser-based exploit code) allows the browser-side authenticator to ignore the requirement of User Verification and send in a challenge that is recognized as valid, thus allowing a user to log in using just Username + NFC yubikey, without checking the UV at all.
You've already got one test in your test suite that has the proper code, so it is supported already:
https://github.com/cedarcode/webauthn-ruby/blob/9544853522a351371d466c966c06ee7b24d18d9a/spec/webauthn/authenticator_assertion_response_spec.rb#L133
Just need a mention in this piece of documentation that if using a key as Passwordless the "user_verification: true" needs to be in the .verify() code or it won't properly check it's a valid Passwordless (User Presence + User Verification) login, and an exploit can bypass it.
https://github.com/cedarcode/webauthn-ruby#publickeycredentialwithassertionverifychallenge-public_key-sign_count