Apply feedback

Firstyear · Apr 27, 2024 · e4c43b9 · e4c43b9
1 parent 1ca95d1
commit e4c43b9
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 13 deletions.
diff --git a/webauthn-rs-core/src/core.rs b/webauthn-rs-core/src/core.rs
@@ -594,7 +594,7 @@ impl WebauthnCore {
                 &data.attestation_object,
                 &client_data_json_hash,
             )?,
-            AttestationFormat::AndroidSafetynet => verify_android_safetynet_attestation(
+            AttestationFormat::AndroidSafetyNet => verify_android_safetynet_attestation(
                 acd,
                 &data.attestation_object,
                 &client_data_json_hash,

diff --git a/webauthn-rs-proto/src/options.rs b/webauthn-rs-proto/src/options.rs
@@ -187,7 +187,7 @@ pub enum AttestationFormat {
     /// Packed attestation
     #[serde(rename = "packed", alias = "Packed")]
     Packed,
-    /// TPM attestation (like Micrsoft)
+    /// TPM attestation (like Microsoft)
     #[serde(rename = "tpm", alias = "Tpm", alias = "TPM")]
     Tpm,
     /// Android hardware attestation
@@ -197,9 +197,9 @@ pub enum AttestationFormat {
     #[serde(
         rename = "android-safetynet",
         alias = "AndroidSafetyNet",
-        alias = "AndroidSafteynet"
+        alias = "AndroidSafetynet"
     )]
-    AndroidSafetynet,
+    AndroidSafetyNet,
     /// Old U2F attestation type
     #[serde(rename = "fido-u2f", alias = "FIDOU2F")]
     FIDOU2F,
@@ -219,7 +219,7 @@ impl TryFrom<&str> for AttestationFormat {
             "packed" => Ok(AttestationFormat::Packed),
             "tpm" => Ok(AttestationFormat::Tpm),
             "android-key" => Ok(AttestationFormat::AndroidKey),
-            "android-safetynet" => Ok(AttestationFormat::AndroidSafetynet),
+            "android-safetynet" => Ok(AttestationFormat::AndroidSafetyNet),
             "fido-u2f" => Ok(AttestationFormat::FIDOU2F),
             "apple" => Ok(AttestationFormat::AppleAnonymous),
             "none" => Ok(AttestationFormat::None),

diff --git a/webauthn-rs/src/lib.rs b/webauthn-rs/src/lib.rs
@@ -1011,12 +1011,23 @@ impl Webauthn {
     /// and assert their identity. Because of this reliance on the authenticator, attestation of
     /// the authenticator and its properties is strongly recommended.
     ///
-    /// The primary difference to a passkey, is that these credentials *can not* 'roam' between multiple
-    /// devices, and must be bound to a single authenticator. This precludes the use of certain types
-    /// of authenticators (such as Apple's Passkeys as these are always synced).
-    ///
-    /// Additionally, these credentials must provide an attestation certificate of authenticity
-    /// which will be cryptographically validated to strictly enforce that only certain devices may be used.
+    /// The primary difference to a passkey, is that these credentials must provide an attestation
+    /// certificate which will be cryptographically validated to strictly enforce that only certain
+    /// devices may be registered.
+    ///
+    /// This attestation requires that private key material is bound to a single hardware
+    /// authenticator, and cannot be copied or moved out of it. At present, all widely deployed
+    /// Hybrid authenticators (Apple iCloud Keychain and Google Passkeys in Google Password
+    /// Manager) are synchronised authenticators which can roam between multiple devices, and so can
+    /// never be attested.
+    ///
+    /// As of webauthn-rs v0.5.0, this creates a registration challenge with
+    /// [credential selection hints](PublicKeyCredentialHints) that only use ClientDevice or
+    /// SecurityKey devices, so a user-agent supporting Webauthn L3 won't offer to use Hybrid
+    /// credentials. On user-agents not supporting Webauthn L3, and on older versions of
+    /// webauthn-rs, user-agents would show a QR code and a user could attempt to register a
+    /// Hybrid authenticator, but it would always fail at the end -- which is a frustrating user
+    /// experience!
     ///
     /// You *should* recommend to the user to register multiple attested_passkey keys to their account on
     /// separate devices so that they have fall back authentication in the case of device failure or loss.
@@ -1170,7 +1181,7 @@ impl Webauthn {
             .reject_synchronised_authenticators(true)
             .exclude_credentials(exclude_credentials)
             .hints(Some(
-                // hybrid can NOT perform attestation
+                // hybrid does NOT perform attestation
                 vec![
                     PublicKeyCredentialHints::ClientDevice,
                     PublicKeyCredentialHints::SecurityKey,
@@ -1428,7 +1439,7 @@ impl Webauthn {
             .reject_synchronised_authenticators(true)
             .exclude_credentials(exclude_credentials)
             .hints(Some(
-                // hybrid can NOT perform attestation
+                // hybrid does NOT perform attestation
                 vec![
                     PublicKeyCredentialHints::ClientDevice,
                     PublicKeyCredentialHints::SecurityKey,