webauthn-rs: Can't use Passkeys registered on devices with preferred authorization on devices without preferred authorization

Hi there, I’m running into an issue with using Passkeys between devices. Here’s a quick way to reproduce it:

  • Use the default UserVerificationPolicy of Preferred
  • Register a Passkey on a device where preferred causes user verification to happen (such as an iPhone with Face ID)
  • Attempt to use the Passkey on a different device where preferred doesn’t trigger user verification (such as a Mac Studio)
  • Get a UserNotVerified error

It seems like it’s caused by this logic: https://github.com/kanidm/webauthn-rs/blob/09ff14cec763863cbe2122a48fa72e36efc24e09/webauthn-rs-core/src/core.rs#L757-L764

As far as I can tell, this causes the passkey to get “upgraded” into a state where it can only be used with user verification. However, it seems to be difficult to work around this behavior.

My current solution is enabling the “danger-credential-internals” feature, checking if the passkey Credential has user_verified set to true, and if so, setting the user verification of the RequestChallengeResponse to Required. Does this make sense, is there anything else I should be doing instead?

Thanks!

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (9 by maintainers)

Most upvoted comments

Yeah, those errors aren’t a problem in this context - the passkey is still created and them attempts to be used. I think that’s an older version of the tester though, I’ll update it shortly.

Saying this, you’re absolutely correct, there certainly does appear to be some kind of issue present as you are identifying. I’m just not sure how to reproduce it myself at this point.

In general, this is why we have hidden conditional ui prompts behind flags in the library - every browser has scuffed their implementation in some way, the worst being one browser that outright crashes the whole process when you access a conditional ui prompt. At this point I’m still not convinced it’s a good user experience yet given all the complexity to checks notes auto complete a username (especially when autofill/complete already exists …).

+1
Firstyear on Feb 22, 2023

Ahh yep, that would do it! Thanks for explaining 😃

Good luck with webauthn-rs in your project, if you have any other questions or feedback please let us know!

+1
Firstyear on Feb 20, 2023
Read more comments on GitHub
← kanidm: Tool broken: SchemaViolation(MissingMustAttribute(["oauth2_rs_name"]))
webauthn-rs: Unable to get 1Password to save passkeys for axum example →