Discourage webauthn user interaction
Else people might have the feeling this is also doing 2FA. And since it is only prefered it can be ignored and hacked around. Once we have proper 2FA with webauthn in one go this probably needs to be revisted. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
2c8901330f
commit
45108b087e
|
@ -107,7 +107,11 @@ class Manager {
|
||||||
$excludedPublicKeyDescriptors = [
|
$excludedPublicKeyDescriptors = [
|
||||||
];
|
];
|
||||||
|
|
||||||
$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria();
|
$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
|
||||||
|
null,
|
||||||
|
false,
|
||||||
|
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
|
||||||
|
);
|
||||||
|
|
||||||
return new PublicKeyCredentialCreationOptions(
|
return new PublicKeyCredentialCreationOptions(
|
||||||
$rpEntity,
|
$rpEntity,
|
||||||
|
@ -186,7 +190,8 @@ class Manager {
|
||||||
random_bytes(32), // Challenge
|
random_bytes(32), // Challenge
|
||||||
60000, // Timeout
|
60000, // Timeout
|
||||||
$this->stripPort($serverHost), // Relying Party ID
|
$this->stripPort($serverHost), // Relying Party ID
|
||||||
$registeredPublicKeyCredentialDescriptors // Registered PublicKeyCredentialDescriptor classes
|
$registeredPublicKeyCredentialDescriptors, // Registered PublicKeyCredentialDescriptor classes
|
||||||
|
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue