From 45108b087e9cd8c8bdc4ae438f4dc14371699558 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Thu, 16 Jul 2020 21:10:07 +0200
Subject: [PATCH] Discourage webauthn user interaction

Else people might have the feeling this is also doing 2FA. And since it
is only prefered it can be ignored and hacked around.

Once we have proper 2FA with webauthn in one go this probably needs to
be revisted.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/Authentication/WebAuthn/Manager.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/private/Authentication/WebAuthn/Manager.php b/lib/private/Authentication/WebAuthn/Manager.php
index cc3e9aba1c..4415badc9b 100644
--- a/lib/private/Authentication/WebAuthn/Manager.php
+++ b/lib/private/Authentication/WebAuthn/Manager.php
@@ -107,7 +107,11 @@ class Manager {
 		$excludedPublicKeyDescriptors = [
 		];
 
-		$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria();
+		$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
+			null,
+			false,
+			AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
+		);
 
 		return new PublicKeyCredentialCreationOptions(
 			$rpEntity,
@@ -186,7 +190,8 @@ class Manager {
 			random_bytes(32),                                                    // Challenge
 			60000,                                                              // Timeout
 			$this->stripPort($serverHost),                                                                  // Relying Party ID
-			$registeredPublicKeyCredentialDescriptors                                  // Registered PublicKeyCredentialDescriptor classes
+			$registeredPublicKeyCredentialDescriptors,                                  // Registered PublicKeyCredentialDescriptor classes
+			AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
 		);
 	}