Questions tagged [webauthn]

Browser API implementing the Web Authentication standard. Credentials are stored on (local) authenticators which use and are accessed using strong cryptography.

See Web Authentication: A Web API for accessing scoped credentials:

This specification defines an API that enables web pages to access WebAuthn compliant strong cryptographic credentials through browser script. Conceptually, one or more credentials are stored on an authenticator, and each credential is scoped to a single Relying Party. Authenticators are responsible for ensuring that no operation is performed without the user’s consent. The user agent mediates access to credentials in order to preserve user privacy. Authenticators use attestation to provide cryptographic proof of their properties to the relying party. This specification also describes a functional model of a WebAuthn compliant authenticator, including its signature and attestation functionality.

303 questions

votes

1 answer

WebAuthn authentication and registration using TouchID on two different browsers?

The case where a person registers a new account (via credentials.create) and subsequently logs in using the same browser (via credentials.get) is straightforward, because at the time credentials.create is called, the user must grant their browser…

google-chrome safari webauthn

asked Dec 03 '21 at 16:37

mkhbragg

votes

2 answers

How to retrieve a symmetric key using Webauthn/CTAP HMAC-Secret extension in a web browser?

I am trying to leverage the CTAP hmac-secret extension to retrieve a key for symmetric encryption in a web browser. I have Yubikey5 which implements this extension. I read through the CTAP specs, but I cannot find a reference how to do it once I get…

encryption webauthn fido yubikey

asked Nov 28 '21 at 03:33

ucipass

votes

4 answers

Android FIDO2 throwing vague errors

I am trying to implement FIDO2 on Android. I have the assetlinks.json hosted on my domain (Sorry I don't want and not sure if I'm allowed to reveal the whole url yet). I have the assets_statements string defined and added it to my Manifest and I…

android authentication webauthn fido

asked Aug 03 '21 at 16:24

Tooroop

1,824
1
20
31

votes

2 answers

WebAuthn authenticator attestation response id and rawId

I would like to ask a question regarding id and rawId. When implementing webauthn, in the authenticator attestation response, I see that we have both id and rawId . Reading the spec (https://www.w3.org/TR/webauthn-1/#dom-publickeycredential-rawid) ,…

webauthn authenticator fido attestations

asked Jul 28 '21 at 03:22

truongnm

2,311
2
31
48

votes

0 answers

Does Keycloak expose WebAuthn APIs or can Webauthn flow be managed programmatically

We are currently evaluating Keycloak Passwordless login feature which is called Webauthn and follows FIDO2 specification. I am able to customize authentication flow (through admin console of keycloak) and login with fido2 device (platform…

spring-boot keycloak webauthn fido password-less

asked Feb 01 '21 at 17:06

Samir

votes

1 answer

How to disallow the FIDO Webauthn key registration from virtual authenticator browser extension

The virtual authenticator extension provided in Chrome (virtual authenticators tab) is used for testing / debugging the FIDO2 Webauthn authentication mechanism without using physical authenticator keys. This is useful in automated testing e.g. via…

webauthn fido-u2f fido

asked Oct 05 '20 at 13:53

PJW

votes

2 answers

Selenium Tests: Authenticate with Webauthn

In my use case, there is a registration page that triggers the browser-specific webauthn flow. For example in Chrome on a Mac you will see this series of popups: Pick an option between USB security key and Built-in sensor MacOS confirmation with…

javascript selenium testing webauthn

asked Aug 18 '20 at 21:49

mkhbragg

votes

1 answer

FIDO2 compatibility with U2F/CTAP1

There are many sources that say FIDO2/CTAP2 is backward compatible with U2F: ...all previously certified FIDO U2F Security Keys and YubiKeys will continue to work as a second-factor authentication login experience with web browsers and online…

webauthn fido-u2f fido

asked Mar 12 '20 at 06:58

Robert Quattlebaum

votes

1 answer

Usernames exposed by login attempt?

I'm trying to expand my application to support WebAuthn login. So far, I have successfully set up a test application (using this https://github.com/lbuchs/WebAuthn PHP implementation) on my local server. I think I mostly understood the process now,…

webauthn fido

asked Oct 27 '19 at 07:55

LeRainieur

votes

0 answers

Chrome and Firefox return different error when click cancel button on browsers popup during FIDO2 credentai get

When I click cancel on dialog Chrome returns NotAllowedError, But Firefox returns AbortError In W3C Webauthn document, It says following thing 18. While lifetimeTimer has not expired, perform the following actions depending upon lifetimeTimer,…

google-chrome firefox webauthn fido

asked Mar 27 '19 at 02:07

Daichi

votes

2 answers

Calculate hash for signature verification in webauthn

I'm trying to implement webauthn, but am having trouble getting the signature verification to work. According to https://w3c.github.io/webauthn/#verifying-assertion I have to basically verify the signature over the following data: authData ||…

javascript webauthn

asked Feb 11 '19 at 12:59

Martijn Otto

votes

2 answers

How to check browser is public-key credentials supported?

I am implementing webauthn using PHP, now I'm facing problem with how to detect browser is public-key credentials supported or not. If browser is supported public-key credentials then I have to start fingerprint registration procedure. So is there…

javascript php jquery webauthn

asked Nov 23 '18 at 06:05

Sachin

votes

1 answer

Fido2ApiCall failed in Chromium for Android, mode = BROWSER

Checking out and building Chromium for Android (https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/android_build_instructions.md) install and run Chromium for Android navigate https://webauthn.io enter any username press Register…

android chromium webauthn

asked Mar 15 '23 at 14:09

Sergey Shpital

votes

1 answer

How to know if a WebAuthn exception should be displayed?

I'm currently in the process of evaluating the implementation of WebAuthn/Passkeys on a website, and one thing that I'm having trouble finding information on is what exceptions from the WebAuthn API the user should be notified about. There are many…

webauthn passkey

asked Feb 19 '23 at 22:53

Dolda2000

25,216
4
51
92

votes

1 answer

Webauthn securely store user credential data

I am trying to add webauthn to my web app, and I want to securely store a private key with the credential data. The methods I have found for storing data with a credential are: hmac-secret extension, large blob extension,…

google-chrome safari blob hmac webauthn

asked Feb 10 '23 at 05:15

Randusr

Prev 1 2 3

…

20 21 Next