If UP flag is not set, expected server response is not success

[ynojima]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

What protocol and version of the protocol are you testing?

FIDO2

What is your implementation class?

Server

What is the version of the tool are you using?

FIDO Conformance Tools v0.10.192 (BETA)(FIDO2 )

What is the OS and the version are you running?

Windows 10 2018 October Update

Issue description

Server-ServerAuthenticatorAssertionResponse-Resp-3 Test server processing authenticatorData
P-5 Send a valid ServerAuthenticatorAssertionResponse both authenticatorData.flags.UV and authenticatorData.flags.UP are not set, for userVerification set to "preferred", and check that server succeeds
P-8 Send a valid ServerAuthenticatorAssertionResponse both authenticatorData.flags.UV and authenticatorData.flags.UP are not set, for userVerification set to "discouraged", and check that server succeeds

Server-ServerAuthenticatorAssertionResponse-Resp-3 P-5 and P-8 send a response authenticatorData.flags.UP are not set, and assert the server succeeds, but the WebAuthn spec requires to verify that UP flag is set.

Verify that the User Present bit of the flags in authData is set.

https://www.w3.org/TR/webauthn/#verifying-assertion

[yackermann]

This is silent authenticator scenario that WebAuthn is not supporting at that moment.

[grzuy]

For the record, discussions of future plans for "silent authentication" in w3c/webauthn#199.

[grzuy]

This is silent authenticator scenario that WebAuthn is not supporting at that moment.

Hi @herrjemand,

Are you saying that you encourage FIDO2 server implementations to deviate from current WebAuthn Level 1 Recommendation and support "silent authentication"?

[MasterKale]

@herrjemand I believe this issue should be reopened. It's almost three years later and L2 requires up to be true, during both registration and authentication. However, FIDO conformance v1.6.41 still requires RPs to pass authentication responses when up is not set to true:

I was tempted to make a new issue but since this one so perfectly matched what I'd report I decided to comment here instead. Please let me know if I should and I'll make a new ticket.

[yackermann]

So here is what you need to understand. There is a separation between FIDO server, one of the authentication components, and identity manager.

FIDO Server job is to process FIDO assertion correctly. So if user did not enforce UV/UP, it might be that in the future FIDO authenticator may return no UV/UP, and server must process it correctly, and allow it. The identity manager then can utilize this information to allow or disallow login.

This all is up to the identity manager. Allow or disallow UP/UV. Allow or disallow CERTIFIED/NON-CERTIFIED.

Our job is to make sure that servers are correctly support it.

So FIDO certified server, a components in authentication flow, must support all FIDO options, but how you use them is none of our business. So feel free to block anyone who is trying to login with UV/UP false.