Create a copy of this page as a sibling and complete it as instructed below. Please do not disturb markers such as  {10{ and }}.

Describe the platform

To ensure a successful test of the authenticator, please follow these steps:

  • For this test, you need a computer or mobile device and a hardware or software authenticator. It may be:
    • Hardware authenticator, such as YubiKey.
    • Operating system authenticator, such as Touch ID or Windows Hello.
    • Software authenticator, such as tpm-fido.
    • Password manager with passkey support, such as Dashlane.
  • The actions performed during this test are parts of regular usage and should not affect the authenticator in any way. However, you may choose to use a brand-new authenticator, reset or clear it to avoid any conflicts during the test.
  • If necessary, delete the passkey that you create during this testing if it prevents you from creating it again. This should not happen, but if it does, please provide a screenshot and an accompanying note. If you are willing to, reset the authenticator's settings (e.g., disable PIN, unregister fingerprint).
  • Fill in the details in the table below:

Tester:
@ (name yourself){10{

Pavel Břoušek 

}}Date:
Use '//' to input date{15{

 

}}Authenticator (or device) vendor:
Yubico, Apple, Dell, HP, Android phone brand...{17{
Sony / Google
}}Authenticator (or device) model:
YubiKey 5 NFC, iPhone 13, PC model name, MacBook year size, MacBook Air year size, MacBook Pro year size...{20{
Xperia 10 II
}}OS and its version:
iOS 13, macOS 10.5.8, Windows 10 22H2, Windows 11 22H2, Android 13...{25{

Android 12

}}Browser and its version:
Chrome 114, Firefox 114...{30{
Firefox 117
}}I registered a PIN/password/finger/face in the authenticator before the session:
Yes or No
(
The situation where you have not previously registered in the authenticator is interesting for checking if the passkey creation will trigger user registration.){35{

Yes

}}

  • Be prepared to capture screenshots of each system/browser dialogue that appears. Later in this process, you will register a passkey multiple times.

Capture the platform or browser passkey options

  • If there are any options or settings related to "passkeys", "security keys" or similar in your OS/device/spaceship settings (related to the authenticator you are going to use), capture screenshots and paste or attach them here.
    • If you are using a password manager, capture its passkey-related options.
    • If you are using a browser supporting passkeys, capture its options instead.
    • If you are using an operating system to manage passkeys, capture its options instead.

Possible locations:

    • Windows 11: Settings > Accounts > Passkeys
    • iOS: Settings > Apple ID > iCloud > Passwords & Keychain
    • Chrome (Windows): Settings > Autofill and passwords > Password Manager > Manage passkeys

These are exemplary paths. You need to screenshot the only passkey-related options. Please paste screenshots in or outside this table as suitable:





















Get diagnostics

  • Open https://webauthntest.identitystandards.io/.
  • Log in using any user name - this is probably just for the app's internal logging.
  • Click the "..." button.
  • If there are any problems while doing the above, try another time or use another device. If the problem persists, please let us know over Slack.

}}Copy-paste the diagnostic results on the right as text (rows are labelled the same):

Platform authenticator (isUVPAA)


Conditional Mediation (Autofill UI)


CTAP2 support (Firefox)


{40{


Available

Not defined

Not supported

}}

Set repeated settings

  • Click the "+" button to create a passkey. Choose the following:
    • RP Info: This domain
    • User Info: Bob
    • Attachment: Undefined
    • Require Resident Key: True
    • Resident Key (L2): Required

It should look like this:

Create passkeys using various settings


  • Capture and paste below the screenshot of various prompts, screens, dialogues, questions or messages that show up during passkey registration as you encounter them.
    • If some options are offered, snapshot them as well, but do not change anything.
    • Capture screenshots at each step of the first passkey creation.
    • Also, capture screenshots when new screens appear during subsequent passkey creations and add them here.
    • Try not to duplicate screenshots of the same steps, as interactions will likely look similar.
    • If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.

    • You can add a note to a screenshot if you encounter an error or find something interesting.
    • If you are wonderinf wgy

Please insert or paste screenshots in this table as suitable, preferably putting the related screenshots in one row (you can place a note beneath an image in the same cell):

Seq1





Seq2 (just new screens)





Seq3 (just new screens)





Seq4 (just new screens)





Test User Verification

  • Select User Verification: Discouraged and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{45{

Credential ID
01E0F243F8EAE2DD5A0B0ADAB470C3B1FCBAC5EEF8F12A4AB5AD88CE8331C0C6DBB1B25783DEC7454B88FB95FF4F522A235447A5FB6DA63A044C00A627CB28ACA2

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications 

}}

  • Select User Verification: Required and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
  • Note that the latest result is the rightmost in the bottom row. You may delete already pasted results.
  • All authenticators should be able to register multiple passkeys for the same domain, so you do not need to delete the previously created one. It is likely that the passkeys you create will override each other since they are for the same domain and use the same user name "bob@example.com").

Copy-paste the result on the right:
Put Unsupported if there was an error{50{

Credential ID

01D0A87751895CDF9AA759EC8A8C3D2F0E92F233F46B7D0FE8E669F8EC0D7DB2E0D647863E8BCC9275F9A0DC7D4400DF302D143DC9CBD47A9C4385DCF07F4F621D

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

Test Attestation

  • Select Attestation: Enterprise and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{55{

Credential ID
01BAED4772FE8B90670211377CB7F98226C2A30133382B6F653FFA1E5D8823DB790DD1205AED1EEEF36BB2EE9202562BEF7C8E3FE81094C1ED776C03DAF6482291

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications 

If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue:

Require Resident Key

true

Authenticator Data
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Authenticator Data in Hex
0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C450000000000000000000000000000000000000000004101BAED4772FE8B90670211377CB7F98226C2A30133382B6F653FFA1E5D8823DB790DD1205AED1EEEF36BB2EE9202562BEF7C8E3FE81094C1ED776C03DAF6482291A501020326200121582034B47F0F7B044A40F81BB5B284022AD68873F31C83D3EFA91AF36BAFE9D8905F225820F9F78647D35AB15F94C32606ECA45175C91D9E1319F8CDF7773DD9B101F1EAEB

Public Key
EC key: A501020326200121582034B47F0F7B044A40F81BB5B284022AD68873F31C83D3EFA91AF36BAFE9D8905F225820F9F78647D35AB15F94C32606ECA45175C91D9E1319F8CDF7773DD9B101F1EAEB

Extension Data
No extension data

Attestation Statement Chain
none

Attestation Statement in Hex
A0

}}

  • Select Attestation: Direct and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{60{

Credential ID
0133A0023FEBB42792D19886116E6D01B4FBF55D77BC2492346D9915ABB406142294EDEEA2BA28534F95F699B6B488C83B3382E825EF867812D7F2231BD9829413

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue:

Require Resident Key
true

Authenticator Data
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Authenticator Data in Hex
0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C45000000000000000000000000000000000000000000410133A0023FEBB42792D19886116E6D01B4FBF55D77BC2492346D9915ABB406142294EDEEA2BA28534F95F699B6B488C83B3382E825EF867812D7F2231BD9829413A50102032620012158205C90EF4FD2199DF78919730B254DE318595136338AB6AB44770C3D9E65BE76472258202E060E147E7020261F1ACF83AFA4894304EA75A50954915C07565B628662E916

Public Key
EC key: A50102032620012158205C90EF4FD2199DF78919730B254DE318595136338AB6AB44770C3D9E65BE76472258202E060E147E7020261F1ACF83AFA4894304EA75A50954915C07565B628662E916

Extension Data
No extension data

Attestation Statement Chain
none

Attestation Statement in Hex
A0 

}}

  • Select Attestation: Indirect and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{65{

Credential ID
012928368D9EE5C86C845F1356B2BDB464BE8561174EBBA6BEA9BA6D5959A5AE5D033B1C39341544E9D380057351F42139523A6A14BCDACF70621FEF279269417E

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue:

Require Resident Key
true

Authenticator Data
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Authenticator Data in Hex
0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C4500000000000000000000000000000000000000000041012928368D9EE5C86C845F1356B2BDB464BE8561174EBBA6BEA9BA6D5959A5AE5D033B1C39341544E9D380057351F42139523A6A14BCDACF70621FEF279269417EA5010203262001215820361B956A3D47FCE6A2C24829B24B68FE14493381D3698EB2A6F988E52434BEF6225820851B31EAFE56E39012FAEC3F613AA510CE743A2081AD4098454E41A8D00F8ABF

Public Key
EC key: A5010203262001215820361B956A3D47FCE6A2C24829B24B68FE14493381D3698EB2A6F988E52434BEF6225820851B31EAFE56E39012FAEC3F613AA510CE743A2081AD4098454E41A8D00F8ABF

Extension Data
No extension data

Attestation Statement Chain
none

Attestation Statement in Hex
A0 

}}

  • Select Attestation: None and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{70{

Credential ID
019453B44585F9DFCAB7A2EDD9429DA5CC125AC4ED10CD65EC061597DDA5564EAE5D394553560EADD885C66B77F94B819AE999189A119D7691E6E10BBD6D9B50B9

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • If none of the previous four tries worked:
    • Select Attestation: Undefined and click CREATE.
    • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
  • Otherwise, skip this step.

Copy-paste the result on the right:
Put Unsupported if there was an error{75{

(skipped)

}}

  • If Attestation: Direct worked, select it. Otherwise, if Attestation: Indirect worked, select it. Otherwise, select Attestation: Undefined.

Test CredProtect Extension

  • Select CredProtect Extension: UVOptional and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{80{

Credential ID
01264EC134A175386977AFE7F5E950B0D3C98E23A2B90EE195410B024FFED9FCE2FEAD5D1350C5BF07CEEDB91107BC9000EC3CEE42BBEED6D117690F6C20AA7FE6

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications 

}}

  • Select CredProtect Extension: UVOptionalWithCredIDList and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{85{

Credential ID
013C211890983D05688E2B86BBF10845D7A388571B645C6860C39D6F62D73228CEC782B624B6CEB096A85826EA36320B6E76CF984F2019D0E1A243A2E458D11BAC

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications 

}}

  • Select CredProtect Extension: UVRequired and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{90{

Credential ID

01F7C0C6B4B650AFC17F694F90AAB2052EB3E30AA81B3EBAC6DED5AF14EFDFB8C419AA1ADAC8167AD67FD70EED1D854EF565EA25EAAE3D2A0919DFCD3E783CAD64

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • If none of the previous three tries worked:
    • Select CredProtect Extension: Undefined and click CREATE.
    • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
  • Otherwise, skip this step.

Copy-paste the result on the right:
Put Unsupported if there was an error{95{

(skipped)

}}

  • Select CredProtect Extension: Undefined (if not selected already).

Test cryptography

  • Uncheck all the following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA.
  • Check Use ES256 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{100{

Credential ID
01E0B1A0E2C999BAF47A469B778750344B6C2277B1D2153962F66018BFE11B5465AEDDDB7CAF50BEB53B6EA230A7C7786E378154B43A7B0A4EBF15BB307C539D7B

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications 

}}

  • Uncheck Use ES256, check Use ES384 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{105{

Credential ID
0177DCB3BB4E1A54BA913A78A16659126DA09E12F9A8F2A0C91D4F25F16C1429AE76CA1E8EED1A42F994D2AFCEDAAEE31C7950D7C9D1825C847820656B58FAD73E

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications 

}}

  • Uncheck Use ES384, check Use ES512 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{110{

Credential ID

01FAC6E70DE168E3693F392CE57ABC6B0500BD1E6D5C8759D337594728C9DB2A1BE9240C4C491A7800473258A7F27B449BFEAAE1BF9A3B2B57FE5402904F2DA9A3

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • Uncheck Use ES512, check Use RS256 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{115{

Credential ID
019BD6EC53B9B021E51E7149236CCB11A1C70474BBEB1D0D3115E24A27B67C6BEC5819527E2D94405E233FD75862DB4C7B887C32B40613CCCF758E3A6D9F643955

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications 

}}

  • Uncheck Use RS256, check Use EdDSA
  • and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{120{

Credential ID
015E2C3351E1E45FB0AFEE341770FA347346E0B1CB4B0163E897A7FC191F6DC8DD84623B51C2460255C3F25013A64D95F4DD022C16A969322E55F594089FA0D93E

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

Conclusion

Do you have any additional observations or comments related to the entire procedure:{125{

Android obviously ignores the cryptography selection.

It seems that these single-device Android passkeys are not stored in Google Password manager and I did not find a way to list or remove them.

The screen which asks for a fingerprint cannot be screenshot.

}}

  • Please do not forget to paste any pending screenshots in the above tables.
  • You may also paste the screenshot with the passkey(s) created during this test. The list of created passkeys is usually shown along with platform or browser passkey options that you were already asked to screenshot.

Thank you!

  • No labels