Add error message if authenticator does not support PRF #122
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds an error message in case the browser is PRF compatible but the authenticator (security key) is not, as described in #81 (comment) .
The "learn more" link leads to the PRF compatibility documentation.
Testing
To test this, you'll either need an authenticator that supports passkeys but not the
hmac-secret
extension (so an iPhone would probably work?), or to run this snippet in the developer console before clicking the "Sign up with passkey" button:This snippet simulates the incompatibility by overriding the PRF extension output with what it would look like if the browser supports PRF but the authenticator does not.
Alternatively, if you have a pre-FIDO2 (U2F) security key (for example a YubiKey NEO), you can use this snippet instead:
This instead disables the requirement that the security key must support passkeys (PIN and discoverable keys), which results in a
PublicKeyCredential
result that genuinely reflects what happens if the browser supports PRF but the security key does not support thehmac-secret
CTAP extension.