Passing Android Passkey in allowList works poorly with windows hello
104 views
Skip to first unread message
Aleksander Fjellvang
Mar 22, 2023, 5:36:32 AM3/22/23
to FIDO Dev (fido-dev)
Hi.
Have anyone else noticed that if i pass a credential ID in the allowList which is recied from registering a passkey from an android phone using windows hello. ?
Specifically If I on Chrome attempt to assert on a windows machine, with a credentialId from an android passkey login passed in the Allow List the following happens:
Windows hello pops up and asks for the pin of the credential, to which none work as I never registered one with the phone. If I press cancel in that pin prompt and choose my android phone for authentication then the attestation object send to the server will have a null value in UserHandle.
Is there any workaround for this ? Or any way to determine wheter a user registered a Passkey device?
My solution for now has been to set `Direct` attestation during registration, and if 'None' is returned from the authenticator I save it in my repo as a passkey device. Seems like a brittle workaround, but my limited testing with windows hello, yubikey and passkeys via android showed that only the andoid passkey would return 'None' with Direct attestation
Have anyone else noticed that if i pass a credential ID in the allowList which is recied from registering a passkey from an android phone using windows hello. ?
Specifically If I on Chrome attempt to assert on a windows machine, with a credentialId from an android passkey login passed in the Allow List the following happens:
Windows hello pops up and asks for the pin of the credential, to which none work as I never registered one with the phone. If I press cancel in that pin prompt and choose my android phone for authentication then the attestation object send to the server will have a null value in UserHandle.
Is there any workaround for this ? Or any way to determine wheter a user registered a Passkey device?
My solution for now has been to set `Direct` attestation during registration, and if 'None' is returned from the authenticator I save it in my repo as a passkey device. Seems like a brittle workaround, but my limited testing with windows hello, yubikey and passkeys via android showed that only the andoid passkey would return 'None' with Direct attestation
Mumbere Anold
Mar 22, 2023, 5:47:05 AM3/22/23
to Aleksander Fjellvang, FIDO Dev (fido-dev)
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ea9fc5b6-5997-4186-bad8-4a1cd3b1b075n%40fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages