WebAuthn icon indicating copy to clipboard operation
WebAuthn copied to clipboard

Published 20 hours ago verified publisher icon lbuchs

invalid ctsProfileMatch in payload

Open brainfoolong opened this issue 4 years ago • 4 comments

Hi!

I tried your library today. Unfortunately i can't add a new registration for my device (Android 11, Xiaomi Mi 9, Chrome newest) with android safetynet (Using devices lock screen mechanism).

On my installation, and even on your demo page, after clicking "new registration", enable the desired option, the error "invalid ctsProfileMatch in payload" pop up, which comes from server side. I found this error message in your WebAuthn code, when ctsProfileMatch is false.

I can't find any further info about this, as i am no expert of how your internal things work.

If you need more info, please let me know.

brainfoolong avatar Nov 28 '21 16:11 brainfoolong

However, i tried further by removing the check at https://github.com/lbuchs/WebAuthn/blob/e5d9434a7eaa185ef4975109e16b90f6d9a0b684/src/Attestation/Format/AndroidSafetyNet.php#L103 then everything work fine and i can get the process of creation and authentication and later using it for login to work.

I don't know if removing this check has any security flaws.

brainfoolong avatar Nov 28 '21 17:11 brainfoolong

ctsProfileMatch: A stricter verdict of device integrity. If the value of ctsProfileMatch is true, then the profile of the device running your app matches the profile of a device that has passed Android compatibility testing and has been approved as a Google-certified Android device.

basicIntegrity: A more lenient verdict of device integrity. If only the value of basicIntegrity is true, then the device running your app likely wasn't tampered with. However, the device hasn't necessarily passed Android compatibility testing.

-- https://developer.android.com/training/safetynet/attestation#compat-check-response

So Trump made that problem 😉 Xiaomi devices are not Google-certified Android devices. Could also switch to basicIntegrity

lbuchs avatar Nov 30 '21 10:11 lbuchs

Ok, i am not quite sure what that means. Is it possible to set a setting in your library to make this work then or have i add other settings on client side?

brainfoolong avatar Nov 30 '21 10:11 brainfoolong

I would heavily support having an option there or even a way to not require either of them but report them so the admin can choose how to deal with the device (notably give a user information when blocking it or even allowing it with a warning)

My1 avatar Jan 28 '22 12:01 My1