New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No way to verify requireResidentKey during registration step at RP side #1060
Comments
I was about to say this can in theory be derived from trust in the attestation statement and thus trust that the authenticator obeys the parameter - but since |
I think we may use RFU bit of flags in authenticator data without breaking changes for requireResidentKey state. |
It would be a breaking change for authenticator vendors, who would have to implement that flag. |
@emlun yeah, you are right. I have just considered RP side. |
@Kieun Is there a reason why RP needs to know if it RK? The client will anyway reject if Authr does not support RK |
@herrjemand the |
@herrjemand I'm not sure about the current authenticator's implementation. But, what if the authenticator only supports device resident key feature and the server set requireResidentKey as false or let it as default value? |
@Kieun FIDO2 authenticator can not be RK only. RK is an optional feature. The core MakeCred and GetAssertion are mandatory. Additionally for RP there is no difference to have RK cred returned or not RK cred returned. For RK it is the same assertion. |
@herrjemand Without the authenticator support resident key, RP cannot provide username-less UX flow. So, from the RP perspective, RP should have that kind information. |
@Kieun RP can get this information by calling MakeCred with RK and see if the call fails or succeeds. |
@Kieun You can refer to CTAP2 protocol https://drafts.fidoalliance.org/fido-2/stable-links-to-latest/fido-client-to-authenticator-protocol.html |
I think issue #991 would be something good for you to look |
@herrjemand Thanks for pointing out the related docs. |
|
FIDO authenticators may be required to support non-resident credentials, but I don't think the abstract authenticator model in WebAuthn forbids authenticators that only support resident keys. |
Yes, @emlun is correct about it. |
So, my suggestion is that RP should have knowledge whether the key is resided in the client side or not during the registration process without trial and error. Such information should be delivered to the RP server so that RP can decide UX flow for the authentication. |
@emlun wrote:
Agreed, that is my understanding per webauthn & CTAP specs. note that the werbauthn language for requireResidentKey says only this:
Note also the "credential storage modality" section here: http://w3c.github.io/webauthn/#sctn-credential-storage-modality, ..whose last paragraph says:
It seems to me @Kieun has a valid point here (#1060 (comment)) cc: @christiaanbrand |
To me this original requirement seems well aligned with issue #991 |
Handled by PR #1191 |
#1191 was merged, closing this... |
In order to allow authenticators having require resident key feature only due to security reasons, RP can set requireResidentKey as true when calling create request.
Even platforms and browsers handle such parameters and may work correctly, from the view point of RP side, there is no way to verify whether credentials are really resident at authenticator side or not.
If the authenticator data includes requireResidentKey as a flag like UV and UP, RP can verify its value and integrity by verifying the signature.
The text was updated successfully, but these errors were encountered: