W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2021

[webauthn] Firefox generates credentials using TPM with Windows Hello - but does not send TPM attestation (#1620)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Fri, 04 Jun 2021 03:12:58 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-911076200-1622776377-sysbot+gh@w3.org>
arshadnoor has just created a new issue for https://github.com/w3c/webauthn:

== Firefox generates credentials using TPM with Windows Hello - but does not send TPM attestation ==
In some recent testing, using the following:

- Laptop with fingerprint reader
- Windows Hello configured with a fingerprint
- Windows 10 Pro - Version 1909, Build 1863.1440
- Firefox (64-bit) 89.0
- Chrome (64-bit) 91.0.4472.77
- Edge (64-bit) 91.0.864.37
- Opera (64-bit) 76.0.4017.177
- Test site: https://demo4.strongkey.com/basicserver

All listed browsers use the TPM to generate platform keys when registering at this site; however, only Firefox does not provide a TPM attestation - it returns "none" - while the remaining three return TPM attestations. We can confirm that the TPM was used by Firefox because **certutil -csp NGC -key** shows a new key in the list after successful registration with Firefox; when the key is deleted with _certutil_, the credential cannot be found for authentication and Firefox prompts for a Security Key. At other times (when the TPM key is not deleted), Firefox continues to work with TPM generated keys - even when not created by Firefox - to authenticate users to the site.

The FIDO2 server on the back-end is StrongKey's FIDO Certified implementation, and sends registration challenges with the declaration that it will accept any attestation format in this web-application.

Is there an explanation for this? Couldn't find anything in Bugzilla. TIA.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1620 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 4 June 2021 03:13:15 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC