Acceptable UV caching time affordance extension added #2021
Conversation
|
@rlin1 we talked about this extensively at the WebAuthn F2F last year. The direction we were discussing was adding an ability for an authenticator to convey when it last performed UV and the authenticator would be truthful in its UV response in authData. This would provide the balance of an RP knowing the UV response is truthful along with some additional context, and the client and/or provider being able to make the best decision based on context they know. This extension could potentially be part of that solution, but it is unclear whether the authenticator would reply truthfully about UV for the assertion or would lie based on the caching being acceptable to the RP. |
|
With this approach, the maxUVC included in the authenticator output could be defined differently to be less or equal to the maxUVC as provided by the RP - so that the authenticator could set it to the elapsed time. |
yackermann
changed the title
|
Close #2023 |
|
Should this extension cover userPresence as well? If yes: we might want to rename it to userGestureCaching... |
index.bs
Outdated
| "RFC9052": { | ||
| "authors": ["Jim Schaad"], | ||
| "title": "CBOR Object Signing and Encryption (COSE): Structures and Process", | ||
| "href": "https://datatracker.ietf.org/doc/rfc9052/", | ||
| "status": "IETF Internet Standard", | ||
| "date": "August 2022" | ||
| }, | ||
|
|
||
| "RFC9053": { | ||
| "authors": ["Jim Schaad"], | ||
| "title": "CBOR Object Signing and Encryption (COSE): Initial Algorithms", | ||
| "href": "https://datatracker.ietf.org/doc/rfc9053/", | ||
| "status": "RFC Informational", | ||
| "date": "August 2022" | ||
| }, | ||
|
|
There was a problem hiding this comment.
These don't seem to be referenced anywhere in the added text; was this added by mistake?
There was a problem hiding this comment.
was required to make bikeshed run successfully
There was a problem hiding this comment.
How are you running Bikeshed? You may need to run bikeshed update to update your snapshot of the bibliography index.
emlun
force-pushed
the
userVerificationCaching
branch
from
89c99a8
to
a45a2b6
Compare
|
I force-pushed the branch to remove some unrelated whitespace changes from the commit history; you may need to hard-reset any local clones to the new HEAD commit. |
| :: The maxTimeSinceLastUV denotes the maximum acceptable number of milliseconds elapsed since the last time the user was successfully verified. | ||
| <xmp class="idl"> | ||
| partial dictionary AuthenticationExtensionsClientInputs { | ||
| unsigned long long maxTimeSinceLastUV; |
There was a problem hiding this comment.
This member name needs to be the same as the extension identifier.
| unsigned long long maxTimeSinceLastUV; | |
| unsigned long long userVerificationCaching; |
There was a problem hiding this comment.
should long be there twice? I guess it needs to be if we're not going to bound it.
There was a problem hiding this comment.
Yes, unsigned long long is the WebIDL type for a 64-bit integer.
...oh, I was about to say we use the same type for timeout, but it turns out it's just unsigned long (32-bit). So yeah, let's make it just unsigned long here too for consistency. 264 milliseconds is almost 50 days, I can't imagine anyone needing more range than that.
| :: Returns the number of milliseconds elapsed since the last time the user was successfully verified as returned by the [=authenticator=]. | ||
| <xmp class="idl"> | ||
| partial dictionary AuthenticationExtensionsClientOutputs { | ||
| unsigned long long timeSinceLastUV; |
There was a problem hiding this comment.
This member name needs to be the same as the extension identifier.
| unsigned long long timeSinceLastUV; | |
| unsigned long long userVerificationCaching; |
|
|
||
| ``` | ||
| $$extensionInput //= ( | ||
| mtslUV: uint .size 4 |
There was a problem hiding this comment.
This member name needs to be the same as the extension identifier.
| mtslUV: uint .size 4 | |
| userVerificationCaching: uint .size 4 |
|
|
||
| ``` | ||
| $$extensionOutput //= ( | ||
| tslUV: uint .size 4 |
There was a problem hiding this comment.
This member name needs to be the same as the extension identifier.
| tslUV: uint .size 4 | |
| userVerificationCaching: uint .size 4 |
| :: When user verification is requested, the [=authenticator=] triggers user verification only if more milliseconds have elapsed since the last time the user was verified than indicated by the maxTimeSinceLastUV value in the extension. | ||
|
|
||
| : Authenticator extension output | ||
| :: If no fresh user verification needed to be triggered triggered, the authenticator reports the time last last user verification time back to the [=[RP]=] to ensure the [=[RP]=] is aware that no fresh user verification was triggered. It is up to the authenticator to decide whether to return the real elapsed time, or a "rounded" value. If user verification was requested, this value SHALL not exceed the value originally provided in the extension input. |
There was a problem hiding this comment.
What is the extension output if UV is done as part of the current ceremony? I know that the UV bit should be set in authenticatorData, but should the extension output also be set with a value of 0 perhaps? The purpose of returning that is to at least indicate to the RP that the extension was acknowledge and processed. The RP could infer that UV was done, but might otherwise not have been if the maxTimeSinceLastUV had been shorter. This would differentiate it from an authenticator that doesn't support the extension and just did UV because it always does UV when preferred is set for userVerification in the initial authentication request.
There was a problem hiding this comment.
To be clear, the suggestion here is that extension output should be set to 0 if UV takes place during the ceremony? Which naturally means the extension output should never be greater than the duration specified as maxTimeSinceLastUV. That sounds sensible to me.
|
I'm largely good with this one, as long as it is restricted for use with UV=preferred, similar to #2052. |
|
I've been convinced that this proposal enables RP's to gracefully handle more use cases than the simpler reporting mechanism proposed in #2052. I'd say let's try and get this one into the spec instead. |
|
I'd also add that one of the two open questions for #2052 also applies here:
|
| : Extension identifier | ||
| :: `userVerificationCaching` | ||
|
|
||
| : Operation applicability |
There was a problem hiding this comment.
This is where the user verification selection criteria should go IMO.
Also shouldn't this apply to both creation and authentication?
If so, suggest the following:
: Operation applicability
:: [=registration extension|Registration=] and [=authentication extension|Authentication=] when {{AuthenticatorSelectionCriteria/userVerification}} is set to {{UserVerificationRequirement/preferred}}.
| :: The maxTimeSinceLastUV denotes the maximum acceptable number of milliseconds elapsed since the last time the user was successfully verified. | ||
| <xmp class="idl"> | ||
| partial dictionary AuthenticationExtensionsClientInputs { | ||
| unsigned long long maxTimeSinceLastUV; |
There was a problem hiding this comment.
should long be there twice? I guess it needs to be if we're not going to bound it.
| :: [=authentication extension|authentication=] | ||
|
|
||
| : Client extension input | ||
| :: The maxTimeSinceLastUV denotes the maximum acceptable number of milliseconds elapsed since the last time the user was successfully verified. |
There was a problem hiding this comment.
Should we bound this with a min and max? (#2034 (comment))
| :: None, except creating the [=authenticator extension input=] from the client extension input. | ||
|
|
||
| : Client extension output | ||
| :: Returns the number of milliseconds elapsed since the last time the user was successfully verified as returned by the [=authenticator=]. |
| ``` | ||
|
|
||
| : Authenticator extension processing | ||
| :: When user verification is requested, the [=authenticator=] triggers user verification only if more milliseconds have elapsed since the last time the user was verified than indicated by the maxTimeSinceLastUV value in the extension. |
There was a problem hiding this comment.
"If more milliseconds have elapsed since the last time the user was verified than indicated by the maxTimeSinceLastUV value in the extension, request [=user verification=]."
timcappalli
changed the title
| </xmp> | ||
|
|
||
| : Authenticator extension input | ||
| :: The maximum acceptable time in milliseconds elapsed since last user verification, encoded in CBOR. |
There was a problem hiding this comment.
What's missing here is the negative case - if this extension is not present, do not allow caching at all. This needs to be clearly stated in the spec.
|
2024-04-19 WebAuthn F2F meeting: consensus to put this PR (and its alternative #2052) on hold until some details around attestation and conformance in FIDO are ironed out. |
timcappalli
added
stat:Blocked
The current behavior of some Passkey Providers to “cache” the user verification status cannot be modeled in FIDO/WebAuthn today and hence might surprise relying parties.
This PR adds the user verification extension that allows the RP to indicate its willingness to accept cached user verification for a given time.
Preview | Diff