search

davidearl / webauthn

An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)
https://webauthn.davidearl.uk
MIT License
129 stars 24 forks source link

Firefox on Win10 or Android doesn't allow for biometric or pin auth #27

Open GarryG opened 4 years ago

GarryG commented 4 years ago

Attempting to create a key only allows for certification through security key, but not via other ways (e.g. Pin Auth on Win 10 or fingerprint on Android) - both platforms only request a security key. Might be caused by not allowing self-certification or whatever that's called? Sorry, not very experienced with the WebAuthn inner workings ... works on both platforms with the webauthn.io test page, allowing either security dongles or other methods ...

benjamindoe commented 4 years ago

Pin auth on windows 10 curently requires RS256. Currently, this lib doesn't support RS256 due to the difference in creating the public key https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/windows-integration/web-authentication

There has recently been a commit to enable internal authenticators for authenticating, try updating your package and see if that helps? https://github.com/davidearl/webauthn/commit/a825098e1dcca8849001d8e23fd6e885985908bf

davidearl commented 4 years ago

As of yesterday, Windows 10 has finally allowed me to update to 1903 which this functionality is in, and I have also acquired a USB fingerprint reader for it, which works with Windows Hello and does indeed work with webauthn.io. @benajamindoe is correct, the alg setting in the public key creation is different. Windows Hello seems to use -257, which apparently is RSA with SHA256 v1.5 for the fingerpirnt reader. Since the Yubico key still works with Windows Hello (it definitely now goes through it), my assumption is alg depends on the device (or driver) rather than Windows Hello itself.

I looked at the code for webauthn.io, and I can see what it is doing. It wouldn't be enormously hard, I think, to translate it into PHP for the same PK algorithms they support. The project is in Go, so we can't use it directly. Maybe there's a case for wrapping that in e.g. a REST interface for local use on the server as an alternative to re-coding in PHP, otherwise there will be constant catch-up needed. I am assuming the authors of webauthn.io are close to the webauthn project.

The github code in Go is here: https://github.com/duo-labs/webauthn and the critical file is https://github.com/duo-labs/webauthn/blob/master/protocol/webauthncose/webauthncose.go

They also seem to have separate code for Android. Though in earlier reports, it seems others have some success in using this library with an Android Pi fingerprint reader.

benjamindoe commented 4 years ago

my assumption is alg depends on the device (or driver) rather than Windows Hello itself.

So according to the spec you list the algs you want in priority order. However, the browser can chose which alg it wants to use. As browsers all go through Windows Security, it will be that which determines the alg used. From my tests, Windows Security will always favour Windows Hello above external authenticators