Can't Authenticate to Microsoft Accounts using a Security Key on iOS using WebAuthn

[gityubikey1]

Description:

Authentication against Microsoft Accounts fails when authenticating with a security key (I used the YubiKey 5Ci). Key prompt is being displayed, but PIN is not prompted for and authentication fails. Microsoft is using WebAuthn to enable the authentication flow.

Steps to Reproduce

On a desktop or laptop:

1. Create a Microsoft account (http://login.live.com)
2. Register a 5Ci key by going to "Security" -> "More Security Options" -> "Set up a security key"
3. Register the key and create a PIN.

On an iPhone:

1. Open the Brave browser
2. Goto (http://login.live.com)
3. Select "Sign in with a security key"
4. Follow prompts to insert and touch key

Actual result:
Authentication fails. :(

Expected result:
User should be prompted for PIN and to authenticate successfully.

Reproduces how often: [Easily reproduced, Intermittent Issue]
Easily reproduced

Brave Version:
v. 1.11.4 (19.08.29.21)

Device details:
iPhone 8 v. 12.4.1
iPhone XS v. 12.3.1

Website problems only:

• did you check with Brave Shields down?
• did you check in Safari/Firefox (WkWebView-based browsers)?
  Using WebAuthn - not supported in Safari or Firefox on iOS

Additional Information

[Brandon-T]

We are not receiving the error: "YKFKeyFIDO2ErrorCode.PIN_REQUIRED" and we aren't receiving a request for a pin upon authentication (it is received during registration though).

▿ WebAuthnAuthenticateRequest
  ▿ rpID : Optional<String>
    - some : "login.microsoft.com"
  - challenge : "........"
  - allowCredentials : 0 elements
  - userPresence : true

It does work on Desktop though :S

Also fails to register:

▿ WebAuthnRegisterRequest
  ▿ publicKey : PublicKey
    ▿ authenticatorSelection : Optional<AuthenticatorSelection>
      ▿ some : AuthenticatorSelection
        ▿ requireResidentKey : Optional<Bool>
          - some : true
    ▿ pubKeyCredParams : 2 elements
      ▿ 0 : PubKeyCredParams
        - alg : -7
        - type : "public-key"
      ▿ 1 : PubKeyCredParams
        - alg : -257
        - type : "public-key"
    ▿ user : User
      - displayName : "****"
      - name : "****@outlook.com"
      - id : "...."
    ▿ rp : Rp
      ▿ id : Optional<String>
        - some : "login.microsoft.com"
      - name : "Microsoft"
    - challenge : "...."
    ▿ excludeCredentials : Optional<Array<PublicKeyCredentialDescriptor>>
      - some : 0 elements

Well.. I checked everything. Responses, Requests, everything.. Only thing I can think of is a bug in the SDK.

[ve7jtb]

Edge has a default of asking for PIN if it is unspecified and the authenticator has one set.
They should be explicitly asking for UV however.

The authenticator would only send back PinRequired for a make credential if a pin is set.
It wouldn't return it for get.

I do note in one test I did on a key with no pin set and sending UV required from the RP it didn't prompt me to set a pin. That may be a surprise to some RP.

For getting a credential with pin set, no allow list and UV set to preferred/required I am seeing a UP bit not set error in the browser.

That is with Brave 1.11.4 I just noticed that there is a new version I will give that a try.

[ve7jtb]

1.12.1 has the same error with UP not being set.

If Microsoft were properly setting UV then we would see that error. With Brave having a different default for UV being undefined Microsoft gets back an assertion that has UV=0 and giving an error.

Credprotect also now needs to be considered.

Pre credprotect browsers have been doing UV=0, UP=0 to see if the authenticator has credentials of interest. Then getting the pin and asking for the credential.

Now with Google Chrome setting credprotect level 2 by default, browsers need to ask for the PIN before looking for credentials especially when there is no allow list. Otherwise, the authenticator will hide the credentials if you try and do a get with no UV or Pintoken.

Currently, windows is broken finding credentials if they are created in Chrome on OSX because of this. The behavior is fixed in Win 20H1, and I am arguing that it deserves a backport.
I think Microsoft will always explicitly ask for Credprotect level 1 to stop chrome setting the default to 2.

[kjozwiak]

Closing as we've deprecated the Yubikey SDK in favour of the WKWebView SDK as per #4473. QA went through verifications via #4473 (comment), #4473 (comment) & #4473 (comment) and couldn't reproduce the crashes using the WKWebView SDK.