213934 2020-07-03 13:04:55 -0700 [WebAuthn] pinToken and uv option are mutually exclusive in CTAP2.0 2021-12-23 07:11:53 -0800 1 1 1 Unclassified WebKit WebKit Misc. Safari Technology Preview iPhone / iPad Other RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=181943 InRadar P2 Normal --- 1 loginllama webkit-unassigned jiewen_tan loginllama nuno.sung pascoe timcappalli webkit-bug-importer oldest_to_newest 1668626 0 loginllama 2020-07-03 13:04:55 -0700 iOS 14 Using a usb attached authenticator that has a getInfo options member that includes both clientPin=True and uv=True, causes the platform to first getPINToken then do makeCredential and getAssertion with both pinToken and the uv=1 option. This is valid in CTAP 2.1 for a three factor authentication. In that flow the platform first prompts for clientPin then performs getPINToken. It then performs getAssertion with the pinToken and uv=True to force the authenticator to do uv (typically fingerprint) the authenticator must validate both before returning a assertion. So while technically allowed it is probably not the intent to have iOS do a three factor authentication. I would expect for a authenticator that has a getInfo options member that includes both clientPin=True and uv=True in CTAP2.0. (The flow changes in CTAP2.1 but lets start with this.) 1) perform getAssertion or makeCredential with the uv option set to true. 2) If addassertion is returned then return to RP 3) If operation-denied is returned then error 4) If pin-required is returned fall back to client PIN 5) If the getInfo options member doesn't include clientPin=True Then error 6) prompt user for PIN 7) Negotiate shared secret 8) Do getPintoken 9) redo getAssertion with pinToken 10) joy I skipped some steps depending on the size of the allow list. There is info on maximum credentialID size and max number of credentials in getInfo now that was added in FIDO_2_1_Pre that you should be using as well. 1668701 1 webkit-bug-importer 2020-07-03 17:10:03 -0700 <rdar://problem/65085265> 1675543 2 jiewen_tan 2020-07-28 01:12:19 -0700 Let's revisit this once we start implementing CTAP 2.1. 1735343 3 loginllama 2021-03-03 10:21:47 -0800 CTAP 2.1 RD was updated so that if the platform sends getAssertion with both pinToken and the uv=1 option, then the uv=1 option is ignored. We worked around the problem on the spec/authenticator side. You should however still fix the problem 1826352 4 pascoe 2021-12-22 11:15:02 -0800 This was fixed in https://bugs.webkit.org/show_bug.cgi?id=232501 and https://bugs.webkit.org/show_bug.cgi?id=213903 1826551 5 loginllama 2021-12-23 07:11:53 -0800 Thanks, I am seeing the correct behavior now in Safari 15.2 on OSX and iOS 15.2