Webauthn PRF extension support

hugomrdias commented 1 year ago

Currently the demo relies on the PRF extension to handle UCAN signatures and WNFS encryption. The support for this extension is still limited across devices and browsers, check the following sections to have a better picture of what works and what doesn't.

Auth flows tracking list

MacOS
- Chrome using Yubikey ✅
- Chrome on an Android device (Device Pairing) ✅
- Chrome on an Android device (QR Code Pairing) ✅
- Chrome using Touch ID ❌
- Safari ❌
- Firefox ❌
Android
- Chrome using Device Lock ✅
- Chrome using another Android device (Cloud Sync) ✅
iOS
- Webkit ❌
Windows
- 🤷🏻‍♂️

Support

Feature	Android	iOS	MacOS	Windows
Passkey	9+ ✅	16+ ✅	13+ ✅	10+ ✅
Cross-Device Authentication	✅	✅	Chromium ✅ Safari ❌	❌ ²
Cloud Sync	✅	✅	Safari ✅ Chromium ¹ 🚧	❌
PRF Extension	Chromium ³ ✅	❌	Chromium ^3,4 🚧 Safari ❌	❔

¹ Planned using iCloud.

² No support on the OS level but works directly on Chromium.

³ Behind chrome://flags/#enable-experimental-web-platform-features, doesn't work with CDA.

⁴ Platform authenticator on mac doesnt support it but yubikey does.

References

Intent to Ship: https://groups.google.com/a/chromium.org/g/blink-dev/c/iTNOgLwD2bI/m/1zKXsF7uAgAJ
Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1106961

0xjjpa commented 1 year ago

I believe based on the last comments from the intent to ship thread this has landed already in Chrome M116, right? FWIW I tested Chrome Canary m118 with beta features enabled in https://securitykeys.info/ts/test_suite.html and still got a No PRF error.

0xjjpa commented 12 months ago

FWIW not sure if it helps but largeBlob is now generally available in iOS and macOS for Safari 17. Might be a good alternative to prf if we can secure the client and only store the needed output as a largeBlob.

Feel free to test in https://glitch.com/~webauthn-large-blob

wesbiggs commented 10 months ago

Thanks for tracking this, really useful.

@0xjjpa it looks like there is a (possibly new?) same-origin policy enforced, to use your example I had to pop out of the glitch frame and open https://webauthn-large-blob.glitch.me/ in its own tab.

I can confirm largeBlob working on Safari 17.1 (MacOS 14.1.1) and Safari in iOS 17.1.1

lennybacon commented 3 months ago

I can confirm PRF Extension working on Chromium Canary 128.0 with chrome://flags/#enable-experimental-web-platform-features on Windows with a Token2. My yubikeys do not have a needed firmware. I have ordered new ones - expect them on Saturday and will provide updates.

I used the sample by @MasterKale here https://gist.github.com/MasterKale/dbe39a01438251f0cbd55576304731fd. The registration at https://passkeys.fission.app/register returned with Registration failed and no further info.

oddsdk / passkeys