250866 – WebAuthn registration does not prompt for system password when passkey is created while macOS device is closed

Bug 250866 - WebAuthn registration does not prompt for system password when passkey is created while macOS device is closed

Summary: WebAuthn registration does not prompt for system password when passkey is cre...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	Safari 16
Hardware:	Mac (Apple Silicon) macOS 13

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-01-19 15:02 PST by matthew
Modified:	2023-01-19 16:36 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description matthew 2023-01-19 15:02:20 PST

Calls to `navigator.credentials.create()` in Safari 16.2 in macOS 13.1 on an M1 Pro Macbook Pro return a response with `uv:false` if `userVerification: "preferred"` is passed in while the MacBook is in "clamshell mode", that is the laptop is closed while connected to and used with an external monitor, keyboard, and mouse.

## Expected Result

The platform authenticator prompts for the system password/Apple Watch interaction to perform user verification.

## Reproduction Steps

1. Connect a MacBook to an external monitor, keyboard, and mouse
2. Close the MacBook
3. Make the following WebAuthn request in Safari

```
navigator.credentials.create({
  publicKey: {
    challenge: new Uint8Array([1, 2, 3]),
    rp: {
      name: 'SimpleWebAuthn Example',
      id: 'localhost'
    },
    user: {
      id: new Uint8Array([1, 2, 3]),
      name: 'user@localhost',
      displayName: 'user@localhost'
    },
    pubKeyCredParams: [
      { alg: -7, type: 'public-key' },
      { alg: -257, type: 'public-key' },
    ],
    timeout: 60000,
    attestation: 'none',
    authenticatorSelection: {
      userVerification: 'preferred',
    },
  },
});

```

4. Click Continue on the typical prompt to save a passkey in iCloud Keychain
5. Observe the following response containing `uv: false` (you can drop it into https://debugger.simplewebauthn.dev/ to confirm)

```
{
  "id": "MjdWlXQGnJ6Q4HRy0Z06YGx4rL8",
  "rawId": "MjdWlXQGnJ6Q4HRy0Z06YGx4rL8",
  "response": {
    "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NZAAAAAAAAAAAAAAAAAAAAAAAAAAAAFDI3VpV0BpyekOB0ctGdOmBseKy_pQECAyYgASFYIJKaK0s4gnDCwe9BNIY2miE6VEPm3_FZCpA3FLeos7wyIlgg9GdSUZQdr_qjxdNC_2ontuzElx-tm0efIVpjNS5Vccc",
    "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiYUs4Ym12N1drYzhnOW5ySmJnVGZCb1o4aUNTODhFUFRscTdSdWpUNjFkayIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMCJ9",
    "transports": [
      "internal",
      "hybrid"
    ]
  },
  "type": "public-key",
  "authenticatorAttachment": "platform"
}
```

Comment 1 pascoe@apple.com 2023-01-19 16:36:23 PST

Hi Matt.

This is expected behavior. On macOS, if biometrics aren't available, the password prompt only thrown when uv=required.

When uv=preferred, user verification is only performed if biometrics are available.