| Summary: | WebAuthn registration does not prompt for system password when passkey is created while macOS device is closed | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | matthew |
| Component: | WebKit Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | garrett_davidson, pascoe |
| Priority: | P2 | ||
| Version: | Safari 16 | ||
| Hardware: | Mac (Apple Silicon) | ||
| OS: | macOS 13 | ||
Hi Matt. This is expected behavior. On macOS, if biometrics aren't available, the password prompt only thrown when uv=required. When uv=preferred, user verification is only performed if biometrics are available. |
Calls to `navigator.credentials.create()` in Safari 16.2 in macOS 13.1 on an M1 Pro Macbook Pro return a response with `uv:false` if `userVerification: "preferred"` is passed in while the MacBook is in "clamshell mode", that is the laptop is closed while connected to and used with an external monitor, keyboard, and mouse. ## Expected Result The platform authenticator prompts for the system password/Apple Watch interaction to perform user verification. ## Reproduction Steps 1. Connect a MacBook to an external monitor, keyboard, and mouse 2. Close the MacBook 3. Make the following WebAuthn request in Safari ``` navigator.credentials.create({ publicKey: { challenge: new Uint8Array([1, 2, 3]), rp: { name: 'SimpleWebAuthn Example', id: 'localhost' }, user: { id: new Uint8Array([1, 2, 3]), name: 'user@localhost', displayName: 'user@localhost' }, pubKeyCredParams: [ { alg: -7, type: 'public-key' }, { alg: -257, type: 'public-key' }, ], timeout: 60000, attestation: 'none', authenticatorSelection: { userVerification: 'preferred', }, }, }); ``` 4. Click Continue on the typical prompt to save a passkey in iCloud Keychain 5. Observe the following response containing `uv: false` (you can drop it into https://debugger.simplewebauthn.dev/ to confirm) ``` { "id": "MjdWlXQGnJ6Q4HRy0Z06YGx4rL8", "rawId": "MjdWlXQGnJ6Q4HRy0Z06YGx4rL8", "response": { "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NZAAAAAAAAAAAAAAAAAAAAAAAAAAAAFDI3VpV0BpyekOB0ctGdOmBseKy_pQECAyYgASFYIJKaK0s4gnDCwe9BNIY2miE6VEPm3_FZCpA3FLeos7wyIlgg9GdSUZQdr_qjxdNC_2ontuzElx-tm0efIVpjNS5Vccc", "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiYUs4Ym12N1drYzhnOW5ySmJnVGZCb1o4aUNTODhFUFRscTdSdWpUNjFkayIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMCJ9", "transports": [ "internal", "hybrid" ] }, "type": "public-key", "authenticatorAttachment": "platform" } ```