From 98cb710d4c2ab4c8b535b0899fc966add13b52b8 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 20 Sep 2022 14:40:23 -0400 Subject: [PATCH 1/3] Update documentation to avoid PIN bypass This fixes #350, which pointed out a bug in certain browser/device combinations that allow bypassing the user's PIN if the `user_verfication: true` flag is not set. https://hwsecurity.dev/2020/08/webauthn-pin-bypass/ --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fdf692c8..d900521c 100644 --- a/README.md +++ b/README.md @@ -237,7 +237,8 @@ begin webauthn_credential.verify( session[:authentication_challenge], public_key: stored_credential.public_key, - sign_count: stored_credential.sign_count + sign_count: stored_credential.sign_count, + user_verification: true, # needed for passwordless verification ) # Update the stored credential sign count with the value from `webauthn_credential.sign_count` @@ -384,11 +385,14 @@ Verifies the asserted WebAuthn credential is [valid](https://www.w3.org/TR/webau Mainly, that the client provided a valid cryptographic signature for the corresponding stored credential public key, among other extra validations. +Note that the `user_verification: true` flag is required to ensure that the the authenticator has verified the user's identity before sending the credentials. See the following [CVE-2020-8236 writeup](https://hwsecurity.dev/2020/08/webauthn-pin-bypass/) + ```ruby credential_with_assertion.verify( session[:authentication_challenge], public_key: stored_credential.public_key, - sign_count: stored_credential.sign_count + sign_count: stored_credential.sign_count, + user_verification: true # needed for passwordless verification ) ``` From aa62573d27e502f0dd817339720cfa272dc84770 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 20 Sep 2022 14:42:15 -0400 Subject: [PATCH 2/3] Update advanced_configuration to avoid PIN bypass Similar to https://github.com/cedarcode/webauthn-ruby/pull/372/commits/98cb710d4c2ab4c8b535b0899fc966add13b52b8, this helps ensure that clients do not allow PIN bypasses for older browser/device combinations --- docs/advanced_configuration.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/advanced_configuration.md b/docs/advanced_configuration.md index 79813d4f..e47fdd39 100644 --- a/docs/advanced_configuration.md +++ b/docs/advanced_configuration.md @@ -147,7 +147,8 @@ begin # in params[:publicKeyCredential]: webauthn_credential, stored_credential = relying_party.verify_authentication( params[:publicKeyCredential], - session[:authentication_challenge] + session[:authentication_challenge], + user_verification: true ) do # the returned object needs to respond to #public_key and #sign_count user.credentials.find_by(webauthn_id: webauthn_credential.id) From 0a36696b675fa2f45a50c520d105fced9c33a01d Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 20 Sep 2022 14:52:03 -0400 Subject: [PATCH 3/3] Update `advanced_configuration.md`: require user verification on create --- docs/advanced_configuration.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/advanced_configuration.md b/docs/advanced_configuration.md index e47fdd39..03e82228 100644 --- a/docs/advanced_configuration.md +++ b/docs/advanced_configuration.md @@ -101,7 +101,8 @@ session[:creation_challenge] = options.challenge begin webauthn_credential = relying_party.verify_registration( params[:publicKeyCredential], - params[:create_challenge] + params[:create_challenge], + user_verification: true ) # Store Credential ID, Credential Public Key and Sign Count for future authentications