- From: Tyler Carson via GitHub <noreply@w3.org>
- Date: Thu, 18 Sep 2025 17:06:41 +0000
- To: public-webauthn@w3.org
> I quick tested on Virtualbox, and to me this happened when TPM was off. Without TPM, Windows 11 failed to use ES256 (but attempted to do so, if algo list contained ES256 before RS256 it requested the PIN twice). This can be figured out by AAGUID which is `6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2` for Windows Hello software implementation and `08987058-CADC-4B81-B6E1-30DE50DCBE96` for the TPM-backed one. This turned out to be the correct answer, but not as simple in practice when using a real machine instead of a VM. Even with TPM on, many devices continue to use the software-backed Windows Hello authenticator. This is probably because they already have passkeys in that credential store container, and Windows does not automatically migrate them for you (especially if key components of the PC were manufactured before Windows 11 was released). So, you need remove all passkeys from Windows Hello, turn it off, and then turn it back on to ensure the container is removed. Then, the device will start to make use of the TPM-backed authenticator for new passkeys (which in turn, supports ES256). Anyways, thanks @SagePtr for the nudge in the right direction (and sorry for hijacking this discussion) -- GitHub Notification of comment by tylerccarson Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1757#issuecomment-3308599848 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 18 September 2025 17:06:42 UTC