Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update documentation to avoid PIN bypass #372

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+10 −4
Open

Update documentation to avoid PIN bypass #372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
98cb710
Update documentation to avoid PIN bypass
tcannonfodder Sep 20, 2022
aa62573
Update advanced_configuration to avoid PIN bypass
tcannonfodder Sep 20, 2022
0a36696
Update `advanced_configuration.md`: require user verification on create
tcannonfodder Sep 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,8 @@ begin
webauthn_credential.verify(
session[:authentication_challenge],
public_key: stored_credential.public_key,
sign_count: stored_credential.sign_count
sign_count: stored_credential.sign_count,
user_verification: true, # needed for passwordless verification
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also add this to creation options in the initiation phase of the Credential Registration ceremony 🙂

)

# Update the stored credential sign count with the value from `webauthn_credential.sign_count`
Expand Down Expand Up @@ -384,11 +385,14 @@ Verifies the asserted WebAuthn credential is [valid](https://www.w3.org/TR/webau
Mainly, that the client provided a valid cryptographic signature for the corresponding stored credential public
key, among other extra validations.

Note that the `user_verification: true` flag is required to ensure that the the authenticator has verified the user's identity before sending the credentials. See the following [CVE-2020-8236 writeup](https://hwsecurity.dev/2020/08/webauthn-pin-bypass/)

```ruby
credential_with_assertion.verify(
session[:authentication_challenge],
public_key: stored_credential.public_key,
sign_count: stored_credential.sign_count
sign_count: stored_credential.sign_count,
user_verification: true # needed for passwordless verification
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also add this for PublicKeyCredentialWithAttestation#verify 🙂

Also, we could also add it to the params of this method in line 381.

)
```

Expand Down
6 changes: 4 additions & 2 deletions docs/advanced_configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,8 @@ session[:creation_challenge] = options.challenge
begin
webauthn_credential = relying_party.verify_registration(
params[:publicKeyCredential],
params[:create_challenge]
params[:create_challenge],
user_verification: true
)

# Store Credential ID, Credential Public Key and Sign Count for future authentications
Expand Down Expand Up @@ -147,7 +148,8 @@ begin
# in params[:publicKeyCredential]:
webauthn_credential, stored_credential = relying_party.verify_authentication(
params[:publicKeyCredential],
session[:authentication_challenge]
session[:authentication_challenge],
user_verification: true
) do
# the returned object needs to respond to #public_key and #sign_count
user.credentials.find_by(webauthn_id: webauthn_credential.id)
Expand Down