"uvm" parameter does not work!

[추준엽]

hello. I have a question about Fido authentication.

1.Can I control the authentication method of the device when requesting "navigator.credentials.create()"? I want to get rid of the "use pattern" option like the picture below.

(https://bugs.chromium.org/p/chromium/issues/detail?id=1097972)

2.If "uvm" is set to true among extension options used when requesting "navigator.credentials.create()", getClientExtensionResults is returned as an empty value.

Is this a disabled option by any chance? Or is it an option that is not available on the web?

thanks for reading

[Emil Lundberg]

1. No, you cannot. (There is technically the authnSel extension which could in theory do something like that, but it is not actually supported by any browser.)

Android leaves to the user to decide what kind of authentication method they prefer. If you as an RP have requirements on permissible authenticators (for example, if you work in a regulated industry such as finance), you'll need to verify the attestation statement after the fact and reject the registration if the attestation does not satisfy your policy.

2. Either the browser doesn't support the extension, or the authenticator doesn't (or both). I'm not sure how widely the uvm extension is supported by browsers, but I think Chrome on Android does support it, so it might be that your authenticator doesn't support the extension. Also note that uvm is an authenticator extension, so you may want to read the extension output from the authenticatorData instead since the authenticatorData is signed but getClientExtensionResults() is not.

Emil Lundberg

Software Engineer | Yubico

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/445cbf3f-b2e6-4aad-bd1a-721f13de7598n%40fidoalliance.org.

[Philipp Junghannß]

also I think the idea to force biometrics is semi-useless anyway as the pin/pattern is used to change the fingerprints on the device anyway so if an attacker cannot proceed with biometrics but knows the PIN, they could just add their own, and also knowledge of the PIN means you get unlimited retries on biometrics (I have seen apps that used android biometrics (rather than FIDO) and when that locked my out because the scanner was awful, I just locked the phone and unlocked via PIN/Pattern to get more retries) 

Regards

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CANMnvkwyp%2BPTFETwwiAiCM2RVqid1QHL1ZDewyHs6ianPftX7w%40mail.gmail.com.

[Mayra Morales Silva]

No entiendo nada de lo que me escriben pues no domino el idioma Ingles.

Escribanme en Espanol para poder entender cual es la causa de sus envios.Agradeciendoles su atencion al respecto, queda de ustedes Mayi.

--