Discourage webauthn user interaction

Else people might have the feeling this is also doing 2FA. And since it is only prefered it can be ignored and hacked around. Once we have proper 2FA with webauthn in one go this probably needs to be revisted. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-07-16 21:10:07 +02:00 · 2020-07-16 21:10:07 +02:00 · 45108b087e
parent 2c8901330f
commit 45108b087e
1 changed files with 7 additions and 2 deletions
--- a/lib/private/Authentication/WebAuthn/Manager.php
+++ b/lib/private/Authentication/WebAuthn/Manager.php
@ -107,7 +107,11 @@ class Manager {
 		$excludedPublicKeyDescriptors = [
 		];

-		$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria();
+		$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
+			null,
+			false,
+			AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
+		);

 		return new PublicKeyCredentialCreationOptions(
 			$rpEntity,
@ -186,7 +190,8 @@ class Manager {
 			random_bytes(32),                                                    // Challenge
 			60000,                                                              // Timeout
 			$this->stripPort($serverHost),                                                                  // Relying Party ID
-			$registeredPublicKeyCredentialDescriptors                                  // Registered PublicKeyCredentialDescriptor classes
+			$registeredPublicKeyCredentialDescriptors,                                  // Registered PublicKeyCredentialDescriptor classes
+			AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
 		);
 	}