Closed jschanck closed 1 year ago
The spec seems to be almost deliberately unclear here :sweat_smile:
For CTAP 2.1, the spec says:
Authenticators that include FIDO_2_1 in versions: ...
- MUST include an array element with the value 2 in the authenticatorGetInfo response’s pinUvAuthProtocols member (i.e. support PIN/UV auth protocol two) if it includes any values at all.
So, I think I agree. We should determine the protocol version based on the supported CTAP-level, if none is returned.
In Bug 1836722 we have a user reporting that WebAuthn transactions with a WearAuthn token abort immediately with
[ERROR authenticator::statemachine] Error when determining pinAuth: HIDError(Command(UnsupportedPinProtocol))
. This seems to be because WearAuthn doesn't reportpinUvAuthProtocols
in itsGetInfo
response.The spec is not very clear about what we should do here. But my interpretation is: 1) For CTAP 2.0 devices we should use protocol 1, because protocol 2 wasn't defined for 2.0. 2) For CTAP 2.1 we should use protocol 2, because protocol 2 is mandatory-to-implement in 2.1.
We should also wrap the
pin_protocols
entry in ourAuthenticatoInfo
struct withOption
, as there's a clause in 2.1 that the device MUST NOT return an empty list.