Platofrm authenticators (TouchID/FaceID and Windows Hello) not suported

[tmccal2]

Steps to reproduce the issue (please be as specific as possible)

Log in to login.gov, then select "Add Security Key" beneath "Your Authenticators".

Expected behavior

[macOS/iOS] The authentication prompt opens, asking to use FaceID/TouchID
[Windows 10/11] The authentication prompt opens, asking to use Windows Hello for authentication.

In both of these prompts, there should be a link to instead authenticate with a security key.

Actual behavior

On both ends, it only asks for a security key.

I think this is occurring because the webauthn javascript code explicitly sets the authenticatorSelection.authenticatorAttachment option to 'cross-platform' when registering a new credential. Not setting this property can allow for both cross-platform authenticators (such as a Yubikey) and platform authenticators (such as your mobile device).

If we remove the following line and keep user_verification to 'discouraged', it should still keep users from being required to enter a PIN number to authenticate, but should also allow use of TouchID/FaceID and Windows Hello.

identity-idp/app/javascript/app/webauthn.js

Lines 93 to 97 in b04e0cc

	authenticatorSelection: {
	// Prevents user from needing to use PIN with Security Key
	userVerification: 'discouraged',
	authenticatorAttachment: platformAuthenticator ? 'platform' : 'cross-platform',
	},

Otherwise, what is the rationale forbidding use of FaceID/TouchID and Windows Hello?

[mitchellhenke]

Thanks for opening this issue!

We have implemented support for Platform Authenticators (#5632), but have not yet enabled it just yet (my hope is we do that soon 🙂).

[mitchellhenke]

This feature was released today! 🙂