Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat/passwordless-defaults #307

Merged
merged 3 commits into from
Dec 13, 2022
Merged

feat/passwordless-defaults #307

merged 3 commits into from
Dec 13, 2022

Conversation

MasterKale
Copy link
Owner

@MasterKale MasterKale commented Dec 11, 2022
edited
Loading

This PR makes SimpleWebAuthn more opinionated about default functionality, and the use case it promotes. In this case the defaults will steer RP's towards implementing passwordless authentication thusly:

  • Explicitly mark user verification as "preferred" in registration and authentication options (WebAuthn defaults to this value when userVerification is missing in options)
  • Require a discoverable credential be created in registration options
  • Require user verification having taken place (i.e. uv:true) during registration and authentication response verification

These changes were inspired by recent doc updates made to passkeys.dev on how RP's should mark user verification "preferred", but leaves it up to RP's to figure out if UV should be required or not in response validation:

The user verification result (conveyed in authenticator data flags) will reflect the actual user verification result and should always be validated against your requirements on the server.

I'm deciding to make RP's require that user verification is marked true in the response to ensure a reliable passwordless experience.

THIS IS A BREAKING CHANGE!

RP's that do not require support for discoverable credentials from authenticators will need to update their calls to generateRegistrationOptions() accordingly:

Before

const options = generateRegistrationOptions({
  rpName: 'SimpleWebAuthn',
  rpID: 'simplewebauthn.dev',
  userID: '1234',
  userName: 'usernameHere',
});

After

const options = generateRegistrationOptions({
  rpName: 'SimpleWebAuthn',
  rpID: 'simplewebauthn.dev',
  userID: '1234',
  userName: 'usernameHere',
  authenticatorSelection: {
    // See https://www.w3.org/TR/webauthn-2/#enumdef-residentkeyrequirement
    residentKey: 'discouraged',
  },
});

Additionally, RP's implementing a second-factor flow with WebAuthn, where UV is not important (because username+password are provided before WebAuthn is leveraged for the second factor), should not require user verification when verifying responses:

verifyRegistrationResponse()

Before

const verification = await verifyRegistrationResponse({
  credential: attestationFIDOU2F,
  // ...
});

After

const verification = await verifyRegistrationResponse({
  credential: attestationFIDOU2F,
  // ...
  requireUserVerification: false,
});

verifyAuthenticationResponse()

Before

const verification = await verifyAuthenticationResponse({
  credential: assertionResponse,
  // ...
});

After

const verification = await verifyAuthenticationResponse({
  credential: assertionResponse,
  // ...
  requireUserVerification: false,
});

@MasterKale MasterKale merged commit c95851c into master Dec 13, 2022
@MasterKale MasterKale deleted the feat/passwordless-defaults branch December 13, 2022 03:36
@MasterKale MasterKale added the package:server @simplewebauthn/server label Dec 19, 2022
@MasterKale MasterKale mentioned this pull request Jan 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
package:server @simplewebauthn/server
Projects
None yet
Milestone
v7.0.0 - The one that runs on everything
Development

Successfully merging this pull request may close these issues.
1 participant
@MasterKale