"uvm" parameter does not work!

55 views
Skip to first unread message

추준엽

unread,
Nov 22, 2021, 8:24:36 PM11/22/21
to FIDO Dev (fido-dev)
hello. I have a question about Fido authentication.

1.Can I control the authentication method of the device when requesting "navigator.credentials.create()"? I want to get rid of the "use pattern" option like the picture below.


ail.png

2.If "uvm" is set to true among extension options used when requesting "navigator.credentials.create()", getClientExtensionResults is returned as an empty value.
Is this a disabled option by any chance? Or is it an option that is not available on the web?

thanks for reading

Emil Lundberg

unread,
Nov 23, 2021, 7:12:43 AM11/23/21
to 추준엽, FIDO Dev (fido-dev)
1. No, you cannot. (There is technically the authnSel extension which could in theory do something like that, but it is not actually supported by any browser.)

Android leaves to the user to decide what kind of authentication method they prefer. If you as an RP have requirements on permissible authenticators (for example, if you work in a regulated industry such as finance), you'll need to verify the attestation statement after the fact and reject the registration if the attestation does not satisfy your policy.

2. Either the browser doesn't support the extension, or the authenticator doesn't (or both). I'm not sure how widely the uvm extension is supported by browsers, but I think Chrome on Android does support it, so it might be that your authenticator doesn't support the extension. Also note that uvm is an authenticator extension, so you may want to read the extension output from the authenticatorData instead since the authenticatorData is signed but getClientExtensionResults() is not.


Emil Lundberg

Software Engineer | Yubico




--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/445cbf3f-b2e6-4aad-bd1a-721f13de7598n%40fidoalliance.org.

Philipp Junghannß

unread,
Nov 23, 2021, 7:24:25 AM11/23/21
to Emil Lundberg, 추준엽, FIDO Dev (fido-dev)
also I think the idea to force biometrics is semi-useless anyway as the pin/pattern is used to change the fingerprints on the device anyway so if an attacker cannot proceed with biometrics but knows the PIN, they could just add their own, and also knowledge of the PIN means you get unlimited retries on biometrics (I have seen apps that used android biometrics (rather than FIDO) and when that locked my out because the scanner was awful, I just locked the phone and unlocked via PIN/Pattern to get more retries) 

Regards

Mayra Morales Silva

unread,
Nov 26, 2021, 9:45:29 AM11/26/21
to 추준엽, FIDO Dev (fido-dev)
No entiendo nada de lo que me escriben pues no domino el idioma Ingles.
Escribanme en Espanol para poder entender cual es la causa de sus envios.Agradeciendoles su atencion al respecto, queda de ustedes Mayi.

--
Reply all
Reply to author
Forward
0 new messages