From 884f3d009a8b81422b1f9275a21d5b125066af73 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Thu, 16 Jul 2020 21:10:07 +0200 Subject: [PATCH] Discourage webauthn user interaction Else people might have the feeling this is also doing 2FA. And since it is only prefered it can be ignored and hacked around. Once we have proper 2FA with webauthn in one go this probably needs to be revisted. Signed-off-by: Roeland Jago Douma --- lib/private/Authentication/WebAuthn/Manager.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/private/Authentication/WebAuthn/Manager.php b/lib/private/Authentication/WebAuthn/Manager.php index cc3e9aba1cc9c..4415badc9b076 100644 --- a/lib/private/Authentication/WebAuthn/Manager.php +++ b/lib/private/Authentication/WebAuthn/Manager.php @@ -107,7 +107,11 @@ public function startRegistration(IUser $user, string $serverHost): PublicKeyCre $excludedPublicKeyDescriptors = [ ]; - $authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(); + $authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria( + null, + false, + AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED + ); return new PublicKeyCredentialCreationOptions( $rpEntity, @@ -186,7 +190,8 @@ public function startAuthentication(string $uid, string $serverHost): PublicKeyC random_bytes(32), // Challenge 60000, // Timeout $this->stripPort($serverHost), // Relying Party ID - $registeredPublicKeyCredentialDescriptors // Registered PublicKeyCredentialDescriptor classes + $registeredPublicKeyCredentialDescriptors, // Registered PublicKeyCredentialDescriptor classes + AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED ); }