Comments (4)
Do you have more info on that maybe I can code fingerprint it into this code
from webauthn.
Which info do you need?
from webauthn.
Information from someone else who emailed me directly suggests this may be possible, but would not follow the spec.
Firstly, the browser must support fingerprint for webauthn. I was not aware this was already the case, and I don't have one to test with.
Commenting out the line
$result->authenticatorSelection->authenticatorAttachment = 'cross-platform';
should allow the connection to the device to be made: cross-platform effectively means a device you can plug in such as a key, and platform means built-in. Presumably neither (ie commented out) means no restriction. I think the point is platform is more secure so one might want to restrict it to that. See https://www.w3.org/TR/webauthn/#attachment and https://www.w3.org/TR/webauthn/#sctn-authenticator-attachment-modality .
However, for the test that was done, it appears you also need to remove the checks on flags
:
// if ($ao->flags != 0x1) { $this->oops('cannot decode key response (2c)'); } /* only TUP must be set */
He did this on a OnePlus 6T/Pie (Android phone). This is less obvious. The spec (https://www.w3.org/TR/webauthn/#verifying-assertion item 12) simply says to check it is 1, which means "user present", which in my mind means they pressed a button or some such (and a fingerprint reader qualifies for that), not just a passive device that always responds, but I may be wrong about that. Nevertheless the spec is clear that it should be checked to pass, and should be 1. webauthn is all very new and the spec is very complex, so it wouldn't be surprising if some implementations don't interpret it quite the same. So I'd be cautious about removing that test, in general, without some indication as to why the device isn't setting it, but it seems to allow at least that the fingerprint reader he was using to pass.
from webauthn.
Those lines are currently line 80 and 281 of webauthn/webauthn.php
from webauthn.
Related Issues (20)
- Icon in rp
- Bio-metric Authentication HOT 12
- Trim unnecessary stuff HOT 2
- Timeout not implemented? HOT 2
- iphone safari browser is not working HOT 8
- Windows + FIDO + Securitykey return fmt as packed in the attestationobject
- `composer require` fails with InvalidArgumentException HOT 2
- Firefox has started returning an error on registration HOT 1
- Safari: registration failed: Bad Request: cannot decode key response (5) HOT 3
- Setting unknown property: appid for local host HOT 5
- 500 / Couldn't initiate registration HOT 2
- phpseclib3 HOT 4
- Multiple Keys per user HOT 3
- couldn't initiate login: SyntaxError: Unexpected end of JSON input: HOT 2
- Add support for discoverable credentials (passkeys) HOT 1
- problem authenticating - abort HOT 5
- aaguid empty HOT 10
- Android 9 fails to offer choice of finger print HOT 1
- iOS 17.4.1
- 1Password passkeys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.