How to handle browsers (Safari) that don't always ask for user verification? #445
-
|
I'm testing out this library in my backend to learn about whether and how to support webauthn/"passkeys". When I follow the registration flow and create a new credential with Safari (macOS, touchid not available), it correctly asks for my password and registers the key with the user verification bit set, everything's hunky dory. But when I subsequently try to authenticate, even though the backend says user verification is required, Safari doesn't verify. It presents a list of keychain passkeys to choose from without asking for any password. I can't figure out how to force Safari to always ask for the password... it seems to ignore user verification required set in the What's the correct way to handle this scenario in Safari where it doesn't always do user verification, but the backend lib seems to always require it? Is there any magic incantation to make Safari do the right thing? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 9 replies
-
|
It won't ask for the password but it may be expecting you to provide touchId instead? Otherwise, it sounds like a safari bug. |
Beta Was this translation helpful? Give feedback.
-
|
I don't have touchid setup on this laptop... testing with Chrome and FF, they both do the right thing, password prompt every time. Yeah I guess a recent regression in Safari. |
Beta Was this translation helpful? Give feedback.
-
|
Also tested with touchid enabled, and Safari does do the right thing then. I've created a report in Apple's feedback assistant. |
Beta Was this translation helpful? Give feedback.
-
|
I guess the best behaviour in the mean time, unfortunately, is to show these users an error message and say "please open your laptop and activate the fingerprint reader, or use a different auth method." |
Beta Was this translation helpful? Give feedback.
-
|
Isn't this a known bug, when the laptop is closed, webauthn gets weird in Safari?
…On 2024-07-27 15:31 Kahn wrote:
I guess the best behaviour in the mean time, unfortunately, is to show these users an error message and say "please open your laptop and activate the fingerprint reader, or use a different auth method."
—
Reply to this email directly, view it on GitHub <#445 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABJB7AI25OZGHPCCANPKMLZOMWCJAVCNFSM6AAAAABLQIKYLGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMJWGU3DQMI>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
The problem is that we can't just flip-flop between uv being there or not. It breaks a lot of security assertions, and it confuses users. So it truly seems here like this is a safari bug - if the RP says "UV=required" then it means it - we need user verification. If safari chooses to not prompt for it, so be it. That's on safari and apple to fix, not us. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah makes sense, totally agree with you there. I've filed a bug report to Apple, I'll update here if I get anything back. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you ! |
Beta Was this translation helpful? Give feedback.
-
|
Got a reply from Apple, the issue is fixed in macOS 15 Beta 8, I've confirmed it's working properly in the beta 🥳 . |
Beta Was this translation helpful? Give feedback.
-
|
Wooo!!! Thanks for following that up! |
Beta Was this translation helpful? Give feedback.
Got a reply from Apple, the issue is fixed in macOS 15 Beta 8, I've confirmed it's working properly in the beta 🥳 .