[webauthn] Inconsistent Passkey Authentication in Google Chrome (#1993) from CyberCitizen via GitHub on 2023-11-04 (public-webauthn@w3.org from November 2023)

From: CyberCitizen via GitHub <sysbot+gh@w3.org>
Date: Sat, 04 Nov 2023 07:45:29 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1977219014-1699083927-sysbot+gh@w3.org>

CyberCtzn has just created a new issue for https://github.com/w3c/webauthn:

== Inconsistent Passkey Authentication in Google Chrome ==
## Description
During regular usage of the MacBook Pro model with a AppleM2 chip, running macOS in Version 14.0, we came across an unusual behavior, allowing us to skip the passkey fingerprint authentication in the latest Google Chrome version (including Canary).  

We have tested the same scenario with some other popular web browsers, all of them behave differently and don't allow the login with the fingerprint sensor (or other biometric device) being disabled. 
Also the same testing scenario in Google Chrome on a different Operating System did not yield the same behavior. Chrome on Windows doesn't behave like this and doesn't allow the login via Windows Hello, if the camera is unplugged. 

## PoC
In order to trigger the behavior, it is required to put the MacBook into so-called Clamshell mode, meaning closing the lid while working on attached hardware (monitor, mouse and keyboard).
In this state the system will detect the closure of the MacBook lid and consider the inbuilt Fingerprint sensor as “deactivated”.
When trying to login to a web application that has been set up with the Passkey of the user, and trying to login via Passkey functionality, the popup in the Web browser will appear, but instead of asking the user to authenticate via fingerprint or password to unlock the Passkey, the dialogue just presents a “Continue”-button, which can be clicked.

![passkey-continue-cut](https://github.com/w3c/webauthn/assets/131913002/152f4f9f-5a28-4e14-a031-bbc7921c433b)
(Clamshell mode Passkey Dialog)

When clicking this continue-button, the user gets forwarded and successfully authenticated with the web application, without the necessity to provide his or her fingerprint.
Based on: https://www.w3.org/TR/webauthn-2/#dom-userverificationrequirement-preferred  , preferred is the default value in the configuration.

## Details
We tried the same login scenario on a self-hosted web application with:
UserVerficationRequirement = required
Received the unchanged and same behavior in Google Chrome browser.

Google Chrome did not acknowledge this as a Bug.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1993 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 4 November 2023 07:45:31 UTC