Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflect caching of user verification in WebAuthn assertion #2023

Open
rlin1 opened this issue Feb 14, 2024 · 7 comments · May be fixed by #2021
Open

Reflect caching of user verification in WebAuthn assertion #2023

rlin1 opened this issue Feb 14, 2024 · 7 comments · May be fixed by #2021
Assignees
Labels
@Risk Items that are at risk for L3 stat:Blocked Prerequisites are not yet satisfied type:technical

Comments

@rlin1
Copy link
Contributor

rlin1 commented Feb 14, 2024

Proposed Change

Some pluggable passkey providers, do not request a fresh user verification for each call to getAssertion.
This is a deviation from the traditional behavior and might surprise relying parties that are using WebAuthn today with the respective default passkey providers.

We propose the following:
a) an ability for the RP to tell the passkey provider that caching of the user verification is allowed (up to a defined time, the maximum user verification caching time maxUVC)
b) an ability for the authenticator to reflect the caching of the user verification in the assertion.

See PR #2021

@rlin1 rlin1 linked a pull request Feb 14, 2024 that will close this issue
@rlin1 rlin1 self-assigned this Feb 14, 2024
@rlin1 rlin1 linked a pull request Feb 14, 2024 that will close this issue
@Firstyear
Copy link
Contributor

I'm not sure this is needed? If you have attestation then you'll know what the credential model is and will allow or disallow UP/UV caching. I can't really see a case where a deployment would want this because they either don't do attestation, so credentials are a free-for-all, or they do do attestation and they have strict policy about what credentials are or are not accepted and the properties of those devices.

@ve7jtb
Copy link
Contributor

ve7jtb commented Feb 28, 2024

The current passkey provider requirements explicitly disallow UV caching.
: Requirement 6.7
:: The UV bit in the response to either a get() or create() request MUST reflect whether user verification was performed during the processing of the request. (I.e. “caching” of user verification is not sufficient to set the UV bit in a response.)

@Firstyear
Copy link
Contributor

I'm sure that it will then shock you to learn about passkey providers that set UV=true when they do not infact re-validate the user. They already do UV caching.

Ergo my point still stands - if you care about UV being a strong assertion, you need to attest credentials.

@sbweeden
Copy link
Contributor

True from an enforcement-of-policy perspective but understand the point of efforts like this is to make it easier and less of a penalty for passkey providers to tell the truth.

@Firstyear
Copy link
Contributor

Theres no penalty for them to lie either. Who's checking and regulating any of this?

@MasterKale
Copy link
Contributor

Theres no penalty for them to lie either. Who's checking and regulating any of this?

No one now but it could become a factor in receiving e.g. FIDO certification.

@nicksteele
Copy link
Contributor

It will most likely be a factor for certification and while we at 1Password will eventually become conformant regardless, that would probably be the fastest driver for us and other credential providers.

@nadalin nadalin added the stat:Blocked Prerequisites are not yet satisfied label May 1, 2024
@emlun emlun changed the title Reflect caching of user gestures in WebAuthn assertion Reflect caching of user verification in WebAuthn assertion Aug 14, 2024
@nadalin nadalin added the @Risk Items that are at risk for L3 label Oct 30, 2024
@nadalin nadalin added this to the Futures (catch-all) milestone Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@Risk Items that are at risk for L3 stat:Blocked Prerequisites are not yet satisfied type:technical
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants