Giter Club home page Giter Club logo

Comments (4)

geraldkrug avatar geraldkrug commented on July 20, 2024

Do you have more info on that maybe I can code fingerprint it into this code

from webauthn.

redochka avatar redochka commented on July 20, 2024

Which info do you need?

from webauthn.

davidearl avatar davidearl commented on July 20, 2024

Information from someone else who emailed me directly suggests this may be possible, but would not follow the spec.

Firstly, the browser must support fingerprint for webauthn. I was not aware this was already the case, and I don't have one to test with.

Commenting out the line
$result->authenticatorSelection->authenticatorAttachment = 'cross-platform';
should allow the connection to the device to be made: cross-platform effectively means a device you can plug in such as a key, and platform means built-in. Presumably neither (ie commented out) means no restriction. I think the point is platform is more secure so one might want to restrict it to that. See https://www.w3.org/TR/webauthn/#attachment and https://www.w3.org/TR/webauthn/#sctn-authenticator-attachment-modality .

However, for the test that was done, it appears you also need to remove the checks on flags:
// if ($ao->flags != 0x1) { $this->oops('cannot decode key response (2c)'); } /* only TUP must be set */
He did this on a OnePlus 6T/Pie (Android phone). This is less obvious. The spec (https://www.w3.org/TR/webauthn/#verifying-assertion item 12) simply says to check it is 1, which means "user present", which in my mind means they pressed a button or some such (and a fingerprint reader qualifies for that), not just a passive device that always responds, but I may be wrong about that. Nevertheless the spec is clear that it should be checked to pass, and should be 1. webauthn is all very new and the spec is very complex, so it wouldn't be surprising if some implementations don't interpret it quite the same. So I'd be cautious about removing that test, in general, without some indication as to why the device isn't setting it, but it seems to allow at least that the fingerprint reader he was using to pass.

from webauthn.

davidearl avatar davidearl commented on July 20, 2024

Those lines are currently line 80 and 281 of webauthn/webauthn.php

from webauthn.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.