Re: [webauthn] Can we document protections (if any) around userHandle (with user-verification)? (#2266) from Kyle Simpson via GitHub on 2025-02-24 (public-webauthn@w3.org from February 2025)

From: Kyle Simpson via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Feb 2025 08:39:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2677739870-1740386358-sysbot+gh@w3.org>

If I `create()` a passkey with the following settings, on an authenticator that supports resident keys and user verification:

```js
publicKey: {
   authenticatorSelection: {
      authenticatorAttachment: "platform",
      userVerification: "required",
      residentKey: "required",
      requireResidentKey: true
   },
   extensions: {
      credProps: true,
      credentialProtectionPolicy: "userVerificationRequired",
      enforceCredentialProtectionPolicy: true
   },
   user: {
      id: ...,
      // ...
   }

   // ...
}
```

...and it succeeds, I get back flags in the response's authenticator data that indicate user-presence and user-verification were used, and I get client-extension output data `{ rk: true }` indicating that the credential was resident.

However, I'm *not* getting back any authenticator extension data with `{ credProtect: 3 }`, as MDN indicates I should. I dunno if that indicates a browser bug, or if it indicates that the authenticator is ignoring `enforceCredentialProtectionPolicy: true` altogether. I've asked Chrome about this in a bug I filed.

----

In either case, can I be certain that:

1. this passkey will NOT successfully authenticate in a subsequent `get()` call, unless the same human user affirmatively presents the same biometric factor -- ie, that it wasn't some silent passkey return -- even if...?

    - I may have passed in `allowCredentials: [ .. ]` with this exact credential, as indicated by its `credentialID`
    - OR I may have passed in `mediation: optional` to allow a passkey discovery where the user selects that passkey from a prompt and then authenticates with it
    - OR I may have passed in `mediation: conditional` and an `<input>` where the user selects the passkey from an autocomplete popup

2. that the `userHandle` will definitely come back, with the same value as `user.id` was set to in `create()`?

If the above are fully true, isn't it accurate to say that this `userHandle` **does not come back without UV?**?

Or am I missing some more nuance here?

-- 
GitHub Notification of comment by getify
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2677739870 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 24 February 2025 08:39:23 UTC