kr-u2f icon indicating copy to clipboard operation
kr-u2f copied to clipboard

Published 20 hours ago verified publisher icon kryptco

Problems with WebAuthn and Chrome

Open mdp opened this issue 6 years ago • 5 comments

There seems to be some funkiness around WebAuthn. Currently, I'm testing against https://webauthn.io

Registration: Registration succeeds, but the browser provided pop-up never goes away. On the client side javascript, the registration callback is successfully being called.

Authentication/Login: The Login prompt automatically assumes TPM mode, but maybe that's because I've previously authenticated with it. In this case, it seems to be impossible to revert back to cross-platform/USB key mode.

Details: Extension Version: 1.0.17 Chrome Version: 73.0.3683.103 (64-bit OSX) Website: https://webauthn.io

mdp avatar Apr 29 '19 20:04 mdp

@mdp thanks for the bug report. I can confirm the popup doesn't close in some cases. I think the login behavior is because you've already registered with Krypton...it might be the case that if you register multiple times it saves both keys on the pseudo account. Maybe try changing the user name?

agrinman avatar Apr 29 '19 20:04 agrinman

Yep, you were right. Changing the username fixes the login issue. Is there any way to "clear" the accounts?

mdp avatar Apr 29 '19 20:04 mdp

Maybe clear the session cookies?

agrinman avatar Apr 29 '19 20:04 agrinman

Thanks, Alex. The login seems like a minor issue with the UI on Chrome. There might not even be an easy way to fix it since it's probably more on Chrome's end.

Here's the issue/how to reproduce it:

  1. I register with a new identity, say [email protected], using TPM (in my case, a fingerprint reader), and then register using Krypton/CrossPlatform.
  2. Now WebAuthn.io has two public keys for me at [email protected]. At this point, I "Login", and they pass back 2 "Allowed Credentials", one of which is known by Chrome to be tied to TPM.
  3. Chrome pops up the TPM Auth, while Krypton on my phone asks if I want to Login to Webauthn.io. Saying yes on Krypton has no effect on the popup nor logging in.

The workaround: On the last step, before approving the Krypton request, click the "Choose another option" and select "Verify via USB". THEN approve the existing request on the Krypton app.

mdp avatar Apr 29 '19 21:04 mdp

I think this is the same issue that occurs for Google sites, where Chrome's own dialog does not close when the Krypton request is approved. The underlying website processes the request properly, and logs in, but Chrome's dialog does not recognise that the 2 factor transaction has already completed.

viggy96 avatar Aug 20 '19 03:08 viggy96