WebAuthN - PIN mandatory for Resident Keys

[Aravind Jerubandi]

I'm playing around with WebAuthN demo app with my yubikey device.

In the demo app, there is an option to select resident key and User Verification.

If I select the option to use resident key and user verification as 'Discouraged', even then it prompts me to enter the PIN.

So looks like PIN is mandatory for resident keys. Is this enforced by WebAuthN protocol or the yubikey device?

[Shane Weeden]

I suspect most likely the client (i.e. browser). 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b79673c1-89bc-4670-ae5f-05bb641bcb2an%40fidoalliance.org.

[DUBOUCHER Thomas]

Hi,

 

User Verification is not mandatory for Discoverable Credentials (aka Resident Keys), at least not in the CTAP2 protocol.

 

However, in this case the authenticator shall not return any PII if it supports any form of UV – which in turn makes credential selection impossible for the user because the client cannot prompt any meaningful information to identify the account.

 

Probably on client-side the UV is enforced for RK if the authenticator supports UV, even if set to discouraged, to avoid this UI/UX issue.

 

Best regards,

 

--

Thomas Duboucher

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/AFE78D16-A6D8-442B-91BF-31B87B98ADE7%40gmail.com.

[John Bradley]

The other issue with Discoverable credentials is that Chrome creates them at credprotect level 2 unless the RP explicitly sets a level.

That means that without UV the authenticator would not find the credentials.   To avoid that most clients will prompt for UV even if it is set to discouraged. 

RP using discoverable credentials (no allow list) should always set UV preferred in the request or they may have trouble with clients that don't override the UV setting in the RP's request.