Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-16091

Keycloak WebAuthn Implementation Incompatible With TouchID/FaceID

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Done
    • 11.0.2
    • 14.0.0
    • Authentication
    • None
    • Hide
      1. Enable WebAuthn (either passwordless or as a second factor).
      2. Register a TouchID credential (see KEYCLOAK-16075 on why this is not possible in a default KeyCloak installation)
      3. Attempt to use the credential multiple times. Observe that it fails after the first.
      Show
      Enable WebAuthn (either passwordless or as a second factor). Register a TouchID credential (see  KEYCLOAK-16075 on why this is not possible in a default KeyCloak installation) Attempt to use the credential multiple times. Observe that it fails after the first.
    • NEW
    • NEW
    • ---
    • ---

    Description

      The Webkit/Safari team has just published details of their implementation of WebAuthn using FaceID/TouchID as platform authenticators: https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/

      They notably do not ever increment the signature counter value:

      The signature counter is not implemented and therefore it is always zero. Secure Enclave is used to prevent the credential private key from leaking instead of a software safeguard.

      As a result, the KeyCloak WebAuthn implementation rejects every signature from the device, noting that its counter value hasn't incremented:

      2020-10-28 07:11:52,259 ERROR [stderr] (default task-1) com.webauthn4j.validator.exception.MaliciousCounterValueException: Malicious counter value is detected. Cloned authenticators exist in parallel.

      The WebKit team recommends using the attestation statement to validate the authenticator rather than the counter to validate device legitimacy. As this is not always available/desired, an option to enable or disable counter validation is probably the best solution.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-16075 WebAuthn with Safari 14.1 does not work (TouchID/FaceID WebAuthn Requires User Gesture)

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-16075 WebAuthn with Safari 14.1 does not work (TouchID/FaceID WebAuthn Requires User Gesture)

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Activity

            People

              Unassigned Unassigned
              0xscales Shea Polansky (Inactive)
              Votes:
              9 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: