WebAuthn with resident keys and no user validation in Chrome / Chromium

Question

I'm trying to create a credential with resident key / discoverable credentials for username-less login:

navigator.credentials.create({
  publicKey: {
    challenge: ...,
    timeout: ...,
    rp: { name: 'Some name' },
    user: { ... },
    pubKeyCredParams: [
      {"type":"public-key","alg":-7},
      {"type":"public-key","alg":-37},
      {"type":"public-key","alg":-257}]
    ],
    authenticatorSelection: {
      authenticatorAttachment: 'cross-platform',
      residentKey: 'required',
      requireResidentKey: true,
      userVerification: 'discouraged'
    }
  }
})

Unfortunately, Chrome still prompts the user to set a PIN or, if the hardware key does not support PINs, tells the user that the device is not supported. As if userVerification: 'discouraged' was just ignored by Chrome.

Our requirement is that that users can register and login without entering a username or PIN (with all the implied safety drawbacks).

Is there a way to achieve this with Chrome?

Answer 1

As if userVerification: 'discouraged' was just ignored by Chrome.

Discoverable credentials without user verification are not supported in Chrome. (Except for some platform authenticators which require that the device be unlocked but, correctly, don't report that as user verification.)

Setting an explicit credProtect level doesn't change that.

Answer 2

It should be possible using

CredProtect=userVerificationOptional

See https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/_GlMmEpHya8 And https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html

edit: to be more precies, in your create() options, add:

 extensions: {
  credentialProtectionPolicy: "userVerificationOptional"
},

and when calling get(), make sure you specify:

  userVerification: "discouraged"