WebAuthn : AuthenticatorAttachment

[Ionel GARDAIS]

Hi list,

We are using WebAuthn with Keycloak.

Usage is OK : both registration and login are fine with a Yubikey.

However, I recently give a try to TouchID using a MacBook and Safariw web-browser.

From my observation :

- registration is OK (WebAuthn policy set to "Require Resident Key: no" and "User Verification Requirement: discouraged".

During registration, Safari prompts for either an external device or to allow TouchID to operate for the website.

That is because "Authenticator attachment" is not set, so Safari allows both "plateform" (TouchID) and "cross-plateform" (Yubikey) scenarios.

Forcing plateform only prompt for TouchID activation and forcing cross-platform only asks for an external auth device.

Safari/TouchID is correctly registred as a new device when auth attachment is not set.

- subsequent logins fail : after entering username and password, Safari only prompts for an external auth device, like if authenticator attachment was set to cross-platform, forbiding to select any previous platform registered device.

I tried with the Yubico Demo playground https://demo.yubico.com/playground

Despite having two distinct registration actions for platform and cross-platform devices, the login workflow correctly prompts the user to select a Yubikey or native auth.

With platform-native authentication being easier than ever to use (be it Face/TouchID or Windows Hello), I'd really like to be able to use both platform and cross-platform.

Any hints on that ?

Thanks,

Ionel