Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[gateway] [webauthn] Need to confirm that "user verification -- required" is being applied #4496

Closed
tcompiegne opened this issue Oct 20, 2020 · 0 comments · Fixed by gravitee-io/gravitee-access-management#944
Closed

[gateway] [webauthn] Need to confirm that "user verification -- required" is being applied #4496

tcompiegne opened this issue Oct 20, 2020 · 0 comments · Fixed by gravitee-io/gravitee-access-management#944
Assignees
@tcompiegne
Labels
project: AM type: enhancement
Milestone
AM - 3.4.0

Comments

@tcompiegne
Copy link
Member

E.g. using the virtual authenticators tab extension in chrome dev-tools it seems to be possible to set up a credential and login with that credential, using a virtual authenticator which does not support user verification.

If requiring user verification is not working in the backend, then we can’t rely on Webauthn to provide both factors for 2FA.

Related, the javascript doesn’t seem to be passing the requirement for userverification to the webauthn JS API, which may mean a confusing user experience where a key (without user verification) seems to be acceptable on the FE and then is rejected on the BE.
@tcompiegne tcompiegne added this to the AM - 3.4.0 milestone Oct 20, 2020
@tcompiegne tcompiegne self-assigned this Oct 20, 2020
@tcompiegne tcompiegne mentioned this issue Oct 23, 2020
Merged
tcompiegne added a commit to gravitee-io/gravitee-access-management that referenced this issue Nov 17, 2020
@tcompiegne
feat(webauthn): upgrade to latest vertx-auth-webauthn implementation
76b1b89 
- coverage all compliance tests
- metadata verification
- TPM attestation support
- Apple attestation support
- UserVerificationRequirement support

closes gravitee-io/issues#4496
leleueri pushed a commit to gravitee-io/gravitee-access-management that referenced this issue Nov 17, 2020
@tcompiegne @leleueri
feat(webauthn): upgrade to latest vertx-auth-webauthn implementation
2e83b86 
- coverage all compliance tests
- metadata verification
- TPM attestation support
- Apple attestation support
- UserVerificationRequirement support

closes gravitee-io/issues#4496
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tcompiegne tcompiegne

Labels
project: AM type: enhancement
Projects
None yet
Milestone
AM - 3.4.0
2 participants
@tcompiegne @leleueri