Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Done
-
11.0.2
-
None
-
-
NEW
-
NEW
-
---
-
---
Description
The Webkit/Safari team has just published details of their implementation of WebAuthn using FaceID/TouchID as platform authenticators: https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/
They notably do not ever increment the signature counter value:
The signature counter is not implemented and therefore it is always zero. Secure Enclave is used to prevent the credential private key from leaking instead of a software safeguard.
As a result, the KeyCloak WebAuthn implementation rejects every signature from the device, noting that its counter value hasn't incremented:
2020-10-28 07:11:52,259 ERROR [stderr] (default task-1) com.webauthn4j.validator.exception.MaliciousCounterValueException: Malicious counter value is detected. Cloned authenticators exist in parallel.
The WebKit team recommends using the attestation statement to validate the authenticator rather than the counter to validate device legitimacy. As this is not always available/desired, an option to enable or disable counter validation is probably the best solution.
Attachments
Issue Links
- is related to
-
KEYCLOAK-16075 WebAuthn with Safari 14.1 does not work (TouchID/FaceID WebAuthn Requires User Gesture)
-
- Closed
-
- relates to
-
KEYCLOAK-16075 WebAuthn with Safari 14.1 does not work (TouchID/FaceID WebAuthn Requires User Gesture)
-
- Closed
-