Discourage webauthn user interaction

Else people might have the feeling this is also doing 2FA. And since it
is only prefered it can be ignored and hacked around.

Once we have proper 2FA with webauthn in one go this probably needs to
be revisted.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2020-07-16 21:10:07 +02:00 committed by backportbot[bot]
parent 2c8901330f
commit 45108b087e
1 changed files with 7 additions and 2 deletions

View File

@ -107,7 +107,11 @@ class Manager {
$excludedPublicKeyDescriptors = [ $excludedPublicKeyDescriptors = [
]; ];
$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(); $authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
null,
false,
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
);
return new PublicKeyCredentialCreationOptions( return new PublicKeyCredentialCreationOptions(
$rpEntity, $rpEntity,
@ -186,7 +190,8 @@ class Manager {
random_bytes(32), // Challenge random_bytes(32), // Challenge
60000, // Timeout 60000, // Timeout
$this->stripPort($serverHost), // Relying Party ID $this->stripPort($serverHost), // Relying Party ID
$registeredPublicKeyCredentialDescriptors // Registered PublicKeyCredentialDescriptor classes $registeredPublicKeyCredentialDescriptors, // Registered PublicKeyCredentialDescriptor classes
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
); );
} }