Removing discoverable credentials from Safari

[Andrey Paramonov]

Greetings.

Does anyone know where Safari/macOS stores discoverable WebAuthn credentials? I can't find anything resembling it in keychain access or Safari itself. I'm talking about regular key, not passkey. Is there a way to find and delete it? Or am I stuck with that credential forever in the dropdown "saved account" list in Safari?

Searching the internet for the answer brings disappointing results.

Thanks.

Andrey

[Arshad Noor]

While it does not pertain to discoverable credentials, a bug has been
filed against WebKit on a related problem:

https://bugs.webkit.org/show_bug.cgi?id=235344

Your problem may be related.

Arshad Noor
StrongKey

> <https://superuser.com/questions/1587772/removing-webauthn-credentials-from-onboard-tpm-on-ios-macos>.
>
> Thanks.
> Andrey
>
> /This message (including any attachments) may contain confidential,
> proprietary, privileged and/or private information. The information is
> intended to be for the use of the individual or entity designated above.
> If you are not the intended recipient of this message, please notify the
> sender immediately, and delete the message and any attachments. Any
> disclosure, reproduction, distribution or other use of this message or
> any attachments by an individual or entity other than the intended
> recipient is prohibited./
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/594efead-253c-4737-8a06-2b6cfa3d0db1n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/594efead-253c-4737-8a06-2b6cfa3d0db1n%40fidoalliance.org?utm_medium=email&utm_source=footer>.

[Andrey Paramonov]

Thanks Arshad for your reply. It doesn't fully answer my question but it gives me some pointers to the right direction.

I'm now curious about the bug you mentioned. The way I understand it: Chrome has finer-grained options for clearing browser data than Safari; and I agree that a user should be alerted that FIDO2 credentials are going to be deleted if the user proceeds with clearing browser data. (A proper key management UI would be even better.) What confuses me in that ticket is "zombie credentials" part. Regardless of granularity of clearing browser data, once you delete FIDO2 credentials in the browser, there is no way to tell the server that the (discoverable) credentials were deleted, because the key management happens outside of WebAuthn/FIDO protocol. That means, FIDO server will always end up with "zombie credentials", even if WebKit fixes that UI bug. If my understanding is correct, the bug should focus exclusively on UI (and sort of parity between browsers) without mentioning FIDO server.

What do you think?

Thanks.

Andrey

[Adam Langley]

On Tuesday, June 21, 2022 at 11:42:54 AM UTC-7 andrey.p...@hypr.com wrote:

Does anyone know where Safari/macOS stores discoverable WebAuthn credentials? I can't find anything resembling it in keychain access or Safari itself. I'm talking about regular key, not passkey. Is there a way to find and delete it? Or am I stuck with that credential forever in the dropdown "saved account" list in Safari?

In iOS 16 and macOS 13 betas, passkeys can be managed in the system's Settings, under passwords. With iOS 16 and macOS 13, I believe that all credentials created in the platform authenticator are passkeys and thus can be managed this way.

For non-passkey credentials created in prior versions, I don't believe that theres any way to manage them. (At least I've never seen one short of factory resetting the device.)

Cheers

AGL

[Andrey Paramonov]

Thanks Adam! I wonder what would happen in iOS 16 and macOS 13 with passkey creation if iCloud keychain is disabled? Will it create a "local" passkey or throw an error? 

[Adam Langley]

On Fri, Jun 24, 2022 at 12:10 PM Andrey Paramonov <andrey.p...@hypr.com> wrote:

Thanks Adam! I wonder what would happen in iOS 16 and macOS 13 with passkey creation if iCloud keychain is disabled? Will it create a "local" passkey or throw an error? 

It prompts to enable iCloud Keychain and will not create a passkey on the platform authenticator unless you do. If you then disable iCloud Keychain then passkeys still exist on the local device, and can be used, but you can't register more until it's enabled again. (As of iOS 16 beta 2, at least.)

Cheers

AGL 

[Tim Cappalli]

And just one additional point. You'll still have access to cross-device flows when iCloud Keychain is disabled. This is an important detail for shared devices and/or corporate owned devices where iCloud Keychain is disabled by policy. 

Said differently, you can still use a credential from your phone or tablet on macOS when iCloud Keychain is disabled.

---

From: 'Adam Langley' via FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Sent: Friday, June 24, 2022 15:15
To: Andrey Paramonov <andrey.p...@hypr.com>
Cc: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Re: Removing discoverable credentials from Safari

 

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAL9PXLz%3DddKoJcs6QN%2B0NZ8LV5-srP%2BEjBvje69VbLbN57qs1g%40mail.gmail.com.

[Emil Lundberg]

On Fri, Jun 24, 2022 at 8:58 PM 'Adam Langley' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:

For non-passkey credentials created in prior versions, I don't believe that theres any way to manage them. (At least I've never seen one short of factory resetting the device.)

For external security keys, it depends on the CTAP version. CTAP 2.1 devices support key management where individual credentials can be deleted without resetting everything. CTAP 2.0 and CTAP1 devices do not support key management. (I'm not sure if external security keys were part of the discussion, but just to be sure. And of course this doesn't work for stateless ("U2F-style") credentials either.)

Emil Lundberg

Software Engineer | Yubico 

[Andrey Paramonov]

You'll still have access to cross-device flows when iCloud Keychain is disabled.

Are you talking about hybrid?

 

Said differently, you can still use a credential from your phone or tablet on macOS when iCloud Keychain is disabled.

Just to clarify: does iCloud Keychain still need to be enabled on iOS device for this flow to work?

[Tim Cappalli]

Yes, that's the spec / technical name for it, but we generally say cross-device flow. Hybrid is not really a general use term. 

If the authenticator is an Apple device, then yes, iCloud Keychain needs to be enabled as multi-device credentials only exist on Apple authenticators if it is enabled. 

Tim Cappalli | m: +1 (617) 701-7149 • @timcappalli

did:ion:EiBgPHSLu66o1hQWT7ejtsV73PfrzeKphDXpgbLchRi32w

---

From: Andrey Paramonov <andrey.p...@hypr.com>
Sent: Monday, June 27, 2022 9:21:36 AM
To: Tim Cappalli <Tim.Ca...@microsoft.com>
Cc: Adam Langley <a...@google.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: Re: [FIDO-DEV] Removing discoverable credentials from Safari

 

[Andrey Paramonov]

I don’t want to drastically side-track my original topic, but since we already touched the cross-device flow, may I ask couple more questions? I noticed when I try to use caBLE feature in Chrome on macOS, the QR code it generates is recognized by an iPhone, so I wonder if the proximity between Chrome on macOS and the iPhone is not required like in the case of Chrome on macOS and Android? Also, that QR code is essentially a string like “FIDO:/big integer”. What is that string? Is it a sort of deep link? Is it standardized across all mobile OS versions?

[Tim Cappalli]

The cross-device flow, including the components like the QR code, is standardized as part of the next version of CTAP.

 

Sorry, I don't really understand the question first question. Proximity is always required.

 

tim

[Adam Langley]

On Mon, Jun 27, 2022 at 8:21 AM Andrey Paramonov <andrey.p...@hypr.com> wrote:

I don’t want to drastically side-track my original topic, but since we already touched the cross-device flow, may I ask couple more questions? I noticed when I try to use caBLE feature in Chrome on macOS, the QR code it generates is recognized by an iPhone, so I wonder if the proximity between Chrome on macOS and the iPhone is not required like in the case of Chrome on macOS and Android?

The protocol is the same in both cases. The QR code contains keys to help establish the connection and, once scanned, the phone will start broadcasting a BLE message. The laptop needs to prove receipt of that message (by integrating it into a handshake) in order to communicate with the phone and that's the proof of proximity. The bulk communication occurs over the internet because doing more than a single phone->laptop advert with BLE proved too unreliable.

Also, that QR code is essentially a string like “FIDO:/big integer”. What is that string? Is it a sort of deep link? Is it standardized across all mobile OS versions?

It is a CBOR map expressed in such a way as to be efficiently encoded in a QR code. The code for converting to bytes in Chromium is here. See also this explanation.

Cheers

AGL

[Andrey Paramonov]

Thanks Adam and Tim, you answered all my questions. Can you point me to the place in the CTAP that describes that feature?

[Adam Langley]

On Mon, Jun 27, 2022 at 1:45 PM Andrey Paramonov <andrey.p...@hypr.com> wrote:

Thanks Adam and Tim, you answered all my questions. Can you point me to the place in the CTAP that describes that feature?

It is not yet in a released version of CTAP, I'm afraid. (FIDO members can find it in the TWG GitHub though.)

(It's not secret or anything, but that's how FIDO operates.)

Cheers

AGL