Warehouse: WebAuthN user verification flag should be set to discouraged
The current setting on the Pypi site is to ignore the UserVerificationOption setting in the navigator.credentials.create() call. Based on this chromium documentation, it appears to be set to "preferred" by default.
TL:DR; it interrupts the login flow by popping up a pin entry dialog upon tapping my yubikey, then requires me to tap again after successful pin entry. This is not the recommended setting for second-factor credentials, only for passwordless [1].
Please explicitly set this to discouraged instead, so that I will no longer have PIN prompts on second-factor login.
gcochard
All 3 comments
Thanks for filing this issue and providing great references, @gcochard!
I was able to reproduce this using a FIDO2 compatible token and Google Chrome on MacOS.
Based on the your provided references it seems like your suggestion is correct.
The library we use for Webauthn on the server has implemented this option in https://github.com/duo-labs/py_webauthn/commit/44bb8241ca6a10b6d50f20f32452500ddebecb9d but has not created a release since.
A release has already been requested for the same reason in https://github.com/duo-labs/py_webauthn/issues/60.
Once we get an update to the webauthn library this shouldn't be to bad to see implemented.
ewdurbin
on 21 Jan 2020
v0.4.6 has been released!
nickmooney
on 31 Jan 2020
Just following up that my existing registration now works without prompting for the PIN.
Thanks again for this!
gcochard
on 12 Mar 2020
Related issues
mahmoud
路
4Comments
apogoreliy
路
4Comments
nlhkabu
路
4Comments
ruohoruotsi
路
3Comments
ewjoachim
路
3Comments
Most helpful comment
v0.4.6 has been released!