search

kanidm / webauthn-rs

An implementation of webauthn components for Rustlang servers
Mozilla Public License 2.0
464 stars 79 forks source link

`danger_set_user_presence_only_security_keys()` seems not to be working #441

Closed zgtm closed 2 months ago

zgtm commented 2 months ago

I'm not totally sure if my expectation is right, but I expect the setting danger_set_user_presence_only_security_keys to set userVerification from required to preferred or discouraged.

I did this

I enabled the feature "danger-user-presence-only-security-keys" and created a Webauthn object using the WebauthnBuilder and setting danger_set_user_presence_only_security_keys(true).

The resulting Webauthn has user_presence_only_security_keys: true as expected.

Then I called eg. 

let (ccr, skr) =  webauthn.start_passkey_registration(webauthn::Uuid::from_u64_pair(0, 1),
                                                      "",
                                                      "",
                                                      None)

I expected the following

The resulting objects to have set userVerification from required to preferred or discouraged.

What actually happened

The CreationChallengeResponse object (ccr) had

CreationChallengeResponse {
    public_key: PublicKeyCredentialCreationOptions {
        authenticator_selection: Some(
            AuthenticatorSelectionCriteria {
                user_verification: Required,
                …
            },
        ),
        extensions: Some(
            RequestRegistrationExtensions {
                cred_protect: Some(
                    CredProtect {
                        credential_protection_policy: UserVerificationRequired,
                        …
                    },
                ),
                …
            },
        ),
        …
    },
}

The PasskeyRegistration object (skr) had

PasskeyRegistration {
    rs: RegistrationState {
        extensions: RequestRegistrationExtensions {
            cred_protect: Some(
                CredProtect {
                    credential_protection_policy: UserVerificationRequired,
                    …
                },
            ),
            …
        },
        …
    },
}

Version (and git commit)

Version 0.5.0 from crates.io

Operating System / Version

Kubuntu 24.04

Linux 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Any other comments

Firstyear commented 2 months ago

This isn't a bug. The feature you changed only affects the calls to start_securitykey_registration.

We need to have uv=required on passkeys because without it there is a UV bypass on all chrome and safari instances with laptops. Passkeys are expected to be self-contained MFA, so this is correct behaviour.

zgtm commented 1 month ago

Ah, okay I get it!

Thanks for your reply! :)