Disable WebAuthn Attestation "A New Device" Option

Diego García

unread,

Mar 27, 2023, 4:25:09 PM3/27/23

to FIDO Dev (fido-dev)

Hi folks,

I'm currently struggling with this topic, so I hope anyone here has found out how to make it possible.

Currently, I already implemented WebAuthn for a website and is showing these 2 options on attestation (registration) of a FIDO Authenticator.

It's working fine, but I would prefer to restrict the registration only to USB security key because the specification for the app that we are building mentions that only should work with security keys.

So basically, I would like to remove the "A different device" option.

On the WebAuthn repo the WebAuthn team told me that it can be done, but if anyone of you try to set up a security key as a multifactor authentication for your GOOGLE ACCOUNT, you will see that the prompt directly ask you to use your security key.

It does not show any other option, or any "try another method" that allow the user to go back and select another option.

This is what I want to achieve.

If any of you have any idea to try or to get achieve this, I would be very grateful.

Thank you so much in advance,

Sebastian Garcia.

Emil Lundberg

unread,

Mar 28, 2023, 3:59:41 AM3/28/23

to Diego García, FIDO Dev (fido-dev)

There is no way to do this and none is planned, see: https://github.com/w3c/webauthn/issues/1750

The closest you could get is to set `authenticatorSelection.authenticatorAttachment: "cross-platform"`, but that will still also allow "phone as a security key" (the FIDO "hybrid" transport), so it'll still offer the "A different device" option.

Emil Lundberg

Senior Software Engineer | Yubico

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e2a8492e-cdca-45e3-b528-29b20fd382c0n%40fidoalliance.org.

Adam Langley

unread,

Apr 4, 2023, 1:29:36 PM4/4/23

to FIDO Dev (fido-dev), Diego García

On Monday, March 27, 2023 at 1:25:09 PM UTC-7 Diego García wrote:

Hi folks,

I'm currently struggling with this topic, so I hope anyone here has found out how to make it possible.

Currently, I already implemented WebAuthn for a website and is showing these 2 options on attestation (registration) of a FIDO Authenticator.

It's working fine, but I would prefer to restrict the registration only to USB security key because the specification for the app that we are building mentions that only should work with security keys.

So basically, I would like to remove the "A different device" option.

On the WebAuthn repo the WebAuthn team told me that it can be done, but if anyone of you try to set up a security key as a multifactor authentication for your GOOGLE ACCOUNT, you will see that the prompt directly ask you to use your security key.

It does not show any other option, or any "try another method" that allow the user to go back and select another option.

This is what I want to achieve.

This behaviour for accounts.google.com is Chrome specific and is a side-effect of the fact that a.g.c was the test bed for caBLE, which developed into hybrid CTAP. Since early versions of caBLE were structured completely differently, and those versions are still in active use, hybrid CTAP is disabled for a.g.c in several contexts. Thus USB is the only option left.

But that is not true of websites in general. Chrome does not currently provide any mechanism for sites to specify that only a particular transport is allowed for credential creation. We're probably not strongly opposed to it, but in general we feel that users should be able to choose their authenticators in non-enterprise contexts.