authenticator-rs
authenticator-rs copied to clipboard
mozilla
Tolerate unknown AuthenticatorVersion values while deserializing
I recently got a prototype FIDO_2_2 authenticator and noticed that WebAuthn operations with it fails when userVerification: "required", or when residentKey: "required". I traced the root cause to the deserialization of AuthenticatorVersion, which is intolerant of unknown values such as "FIDO_2_2". This causes Firefox to downgrade to the CTAP1 protocol for any authenticator whose getInfo contains "FIDO_2_2" (or any other unknown value, such as future versions), preventing use of any CTAP2-exclusive features with those authenticators.
Reproducing the issue
- Launch Firefox 139.0 and open https://demo.yubico.com/webauthn-developers
- In “Authenticator selection”, uncheck “excludeCredentials” and set “userVerification” to “discouraged”. Click “CREATE” at the bottom and create a credential using a FIDO_2_2 authenticator. Observe that the credential registration succeeds.
- In “Authenticator selection”, change “userVerification to “required”. Again click “CREATE” at the bottom and create a credential using a FIDO_2_2 authenticator. Observe that the credential registration now fails.
Fixing the issue
This adds an AuthenticatorVersion::Unknown variant with #[serde(other)], causing unknown values to deserialize to that variant instead of being rejected. This is enough to prevent Firefox from downgrading FIDO_2_2 devices to CTAP1, so they can successfully use UV and other CTAP2-exclusive features.
This PR does not add a FIDO_2_2 variant since that would not actually add support for any features introduced in FIDO_2_2.
