You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Steps to reproduce the issue (please be as specific as possible)
Log in to login.gov, then select "Add Security Key" beneath "Your Authenticators".
Expected behavior
[macOS/iOS] The authentication prompt opens, asking to use FaceID/TouchID
[Windows 10/11] The authentication prompt opens, asking to use Windows Hello for authentication.
In both of these prompts, there should be a link to instead authenticate with a security key.
Actual behavior
On both ends, it only asks for a security key.
I think this is occurring because the webauthn javascript code explicitly sets the authenticatorSelection.authenticatorAttachment option to 'cross-platform' when registering a new credential. Not setting this property can allow for both cross-platform authenticators (such as a Yubikey) and platform authenticators (such as your mobile device).
If we remove the following line and keep user_verification to 'discouraged', it should still keep users from being required to enter a PIN number to authenticate, but should also allow use of TouchID/FaceID and Windows Hello.
Steps to reproduce the issue (please be as specific as possible)
Log in to login.gov, then select "Add Security Key" beneath "Your Authenticators".
Expected behavior
[macOS/iOS] The authentication prompt opens, asking to use FaceID/TouchID
[Windows 10/11] The authentication prompt opens, asking to use Windows Hello for authentication.
In both of these prompts, there should be a link to instead authenticate with a security key.
Actual behavior
On both ends, it only asks for a security key.
I think this is occurring because the webauthn javascript code explicitly sets the
authenticatorSelection.authenticatorAttachment
option to 'cross-platform' when registering a new credential. Not setting this property can allow for both cross-platform authenticators (such as a Yubikey) and platform authenticators (such as your mobile device).If we remove the following line and keep user_verification to 'discouraged', it should still keep users from being required to enter a PIN number to authenticate, but should also allow use of TouchID/FaceID and Windows Hello.
identity-idp/app/javascript/app/webauthn.js
Lines 93 to 97 in b04e0cc
Otherwise, what is the rationale forbidding use of FaceID/TouchID and Windows Hello?
The text was updated successfully, but these errors were encountered: