Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-16091

Keycloak WebAuthn Implementation Incompatible With TouchID/FaceID

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Done
    • Affects Version/s: 11.0.2
    • Fix Version/s: 14.0.0
    • Component/s: Authentication
    • Labels:
      None
    • Epic Link:
    • Steps to Reproduce:
      Hide
      1. Enable WebAuthn (either passwordless or as a second factor).
      2. Register a TouchID credential (see KEYCLOAK-16075 on why this is not possible in a default KeyCloak installation)
      3. Attempt to use the credential multiple times. Observe that it fails after the first.
      Show
      Enable WebAuthn (either passwordless or as a second factor). Register a TouchID credential (see  KEYCLOAK-16075 on why this is not possible in a default KeyCloak installation) Attempt to use the credential multiple times. Observe that it fails after the first.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      The Webkit/Safari team has just published details of their implementation of WebAuthn using FaceID/TouchID as platform authenticators: https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/

      They notably do not ever increment the signature counter value:

      The signature counter is not implemented and therefore it is always zero. Secure Enclave is used to prevent the credential private key from leaking instead of a software safeguard.

      As a result, the KeyCloak WebAuthn implementation rejects every signature from the device, noting that its counter value hasn't incremented:

      2020-10-28 07:11:52,259 ERROR [stderr] (default task-1) com.webauthn4j.validator.exception.MaliciousCounterValueException: Malicious counter value is detected. Cloned authenticators exist in parallel.

      The WebKit team recommends using the attestation statement to validate the authenticator rather than the counter to validate device legitimacy. As this is not always available/desired, an option to enable or disable counter validation is probably the best solution.

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-16075 WebAuthn with Safari 14.1 does not work (TouchID/FaceID WebAuthn Requires User Gesture)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-16075 WebAuthn with Safari 14.1 does not work (TouchID/FaceID WebAuthn Requires User Gesture)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              scales Shea Polansky (Inactive)
              Votes:
              9 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: