search

davidearl / webauthn

An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)
https://webauthn.davidearl.uk
MIT License
130 stars 24 forks source link

Fingerprint verification is not offered #6

Closed redochka closed 5 years ago

redochka commented 5 years ago

Fingerprint verification is not offered, only bluetooth, NFC or USB key.

geraldkrug commented 5 years ago

Do you have more info on that maybe I can code fingerprint it into this code

redochka commented 5 years ago

Which info do you need?

davidearl commented 5 years ago

Information from someone else who emailed me directly suggests this may be possible, but would not follow the spec.

Firstly, the browser must support fingerprint for webauthn. I was not aware this was already the case, and I don't have one to test with.

Commenting out the line $result->authenticatorSelection->authenticatorAttachment = 'cross-platform'; should allow the connection to the device to be made: cross-platform effectively means a device you can plug in such as a key, and platform means built-in. Presumably neither (ie commented out) means no restriction. I think the point is platform is more secure so one might want to restrict it to that. See https://www.w3.org/TR/webauthn/#attachment and https://www.w3.org/TR/webauthn/#sctn-authenticator-attachment-modality .

However, for the test that was done, it appears you also need to remove the checks on flags: // if ($ao->flags != 0x1) { $this->oops('cannot decode key response (2c)'); } /* only TUP must be set */ He did this on a OnePlus 6T/Pie (Android phone). This is less obvious. The spec (https://www.w3.org/TR/webauthn/#verifying-assertion item 12) simply says to check it is 1, which means "user present", which in my mind means they pressed a button or some such (and a fingerprint reader qualifies for that), not just a passive device that always responds, but I may be wrong about that. Nevertheless the spec is clear that it should be checked to pass, and should be 1. webauthn is all very new and the spec is very complex, so it wouldn't be surprising if some implementations don't interpret it quite the same. So I'd be cautious about removing that test, in general, without some indication as to why the device isn't setting it, but it seems to allow at least that the fingerprint reader he was using to pass.

davidearl commented 5 years ago

Those lines are currently line 80 and 281 of webauthn/webauthn.php