Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Prepare the authenticator that you wish to test. It is recommended to use it only for this test to avoid any conflicts. If necessary, delete the passkey and reset the authenticator's settings (e.g., disable PIN, unregister fingerprint).
    1. it may be a hardware authenticator, such as a YubiKey
    2. it may be an operating system authenticator, such as Touch ID or Windows Hello
    3. it may be a software authenticator, such as tpm-fido
    4. it may be a password manager with passkey support, such as Dashlane
  2. Fill details about the authenticator into the table below (vendor, model, OS, browser)
  3. Open https://webauthntest.identitystandards.io/. Be prepared to capture screenshots of each system/browser dialogue that appears. Register multiple times using all the different values mentioned below (randomise combinations at will, or prepare several strict scenarios that ensure coverage?!)Save the parameters used and the corresponding results for each registration.(Later in this process, you will register a passkey multiple times).
  4. Click the "..." button and record copy-paste the diagnostic results (when, where, how to record?).into the result template (rows are labeled the same)
  5. Click the "+" button to create a passkey. Choose the following values:
    1. RP Info: This domain
    2. User Info: Bob
    3. Attachment: undefined
    4. Require Resident Key: true
    5. Resident Key (L2): required
  6. Try out the following combinations:
    1. User Verification: Discouraged/Required (the result should be identical)
  7. Leave User Verification: Required and try out these:
    1. Attestation: Enterprise/Direct/Indirect/None (or Undefined if nothing else works)
  8. Leave Attestation: None and try out these:
    1. CredProtect Extension: userVerificationOptional/userVerificationOptionalWithCredentialIDList/userVerificationRequired (or Undefined if nothing else works)
  9. Select User Verification: Discouraged and click CREATE.
    1. Copy-paste the resulting registration data into row 1. User Verification: Discouraged, or input "unsupported" if there was an error.
  10. Select User Verification: Required and click CREATE.
    1. Copy-paste the resulting registration data into row 2. User Verification: Required, or input "unsupported" if there was an error.
  11. Select Attestation: Enterprise and click CREATE.
    1. Copy-paste the resulting registration data into row 3. Attestation: Enterprise, or input "unsupported" if there was an error.
  12. Select Attestation: Direct and click CREATE.
    1. Copy-paste the resulting registration data into row 4. Attestation: Direct, or input "unsupported" if there was an error.
  13. Select Attestation: Indirect and click CREATE.
    1. Copy-paste the resulting registration data into row 5. Attestation: Indirect, or input "unsupported" if there was an error.
  14. Select Attestation: None and click CREATE.
    1. Copy-paste the resulting registration data into row 6. Attestation: None, or input "unsupported" if there was an error.
  15. If none of the previous four tries worked, select Attestation: Undefined and click CREATE.
    1. Copy-paste the resulting registration data into row 6. Attestation: None, or input "unsupported" if there was an error.
  16. If Attestation: Direct worked, select it; otherwise if Attestation: Indirect worked, select it; otherwise select Attestation: Undefined
  17. Select CredProtect Extension: userVerificationOptional and click CREATE.
    1. Copy-paste the resulting registration data into row 7. CredProtect Extension: userVerificationOptional, or input "unsupported" if there was an error.
  18. Select CredProtect Extension: userVerificationOptionalWithCredentialIDList and click CREATE.
    1. Copy-paste the resulting registration data into row 8. CredProtect Extension: userVerificationOptionalWithCredentialIDList, or input "unsupported" if there was an error.
  19. Select CredProtect Extension: userVerificationRequired and click CREATE.
    1. Copy-paste the resulting registration data into row 9. CredProtect Extension: userVerificationRequired, or input "unsupported" if there was an error.
  20. If none of the previous three tries worked, select CredProtect Extension: Undefined and click CREATE.
    1. Copy-paste the resulting registration data into row 7. CredProtect Extension: userVerificationOptional, or input "unsupported" if there was an error.
  21. Select CredProtect Extension: Undefined (if not selected already)
  22. Unchecking all following checkboxes: Reset CredProtect Extension to Undefined and try out the encryption algorithms by unchecking all checkboxes (Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA). Repeat the registration for each algorithm, selecting one algorithm at a time.

What about using custom environments, such as those with password managers supporting passkeys? Use only vanilla ones?

...

  1. Check Use ES256 and click CREATE.
    1. Copy-paste the resulting registration data into row 10. ES256, or input "unsupported" if there was an error.
  2. Check Use ES384 and click CREATE.
    1. Copy-paste the resulting registration data into row 11. ES384, or input "unsupported" if there was an error.
  3. Check Use ES512 and click CREATE.
    1. Copy-paste the resulting registration data into row 12. ES512, or input "unsupported" if there was an error.
  4. Check Use RS256 and click CREATE.
    1. Copy-paste the resulting registration data into row 13. RS256, or input "unsupported" if there was an error.
  5. Check Use EdDSA and click CREATE.
    1. Copy-paste the resulting registration data into row 14. EdDSA, or input "unsupported" if there was an error.

If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.

Fill in the detailed results in the following template (perhaps it is better to pre-define the authenticator setup and choices to be made and then provide clear placeholders for entering outcomes and outputs):

Authenticator (device) vendor
Authenticator model (or phone/laptop model?)(device) model
I registered a PIN/password/fingerprintfinger/face etc. (PIN/password or biometric) in the authenticator before the test. (shorten this label?) yes/no
OS and its version
Browser and its version
Platform authenticator (isUVPAA)
Conditional Mediation (Autofill UI)
CTAP2 support (Firefox)

1. User Verification: Discouraged


2. User Verification: Required
3. Attestation: Enterprise
4. Attestation: Direct
5. Attestation: Indirect
6. Attestation: None
7. CredProtect Extension: userVerificationOptional
8. CredProtect Extension: userVerificationOptionalWithCredentialIDList
9. CredProtect Extension: userVerificationRequired
10. ES256
11. ES384
12. ES512
13. RS256
14. EdDSA

Attach screenshots of the system/browser dialogues

...

.


Send the filled out table along with screenhots into the GÉANT Slack, channel #ω-passkey-testingAdd a comment to the page with the completed table filled out. The results will be aggregated into the summarised table below.What about trying or at least screenshotting platform-specific passkey options that might be offered during registration? Is there anything else we are interested in? E.g., if several user identities (existing on the device) are selectable here, per passkey single device use of a passkey (i.e. forbidding passkey syncing by user), user notes about passkey...?

A sign-in screen that asks whether to save a passkey for the account. The Continue and Other Options buttons are at the bottom of the screen.Image Removed

Are we interested in the platform's general options, like those on the last screen here?

Image Removed

I guess that we won't be testing sign-in features supported by the platform, as these may easily change and others will be testing them anyway!?

Summarised results

Authenticator vendorAuthenticator modelAuthenticator was set up for UV before the testOS+versionbrowser+version
YubicoYubiKey 5no


YubicoYubiKey 5yes


MicrosoftWindows Hello
Windows 10 without TPM

MicrosoftWindows Hello
Windows 10 with TPM

MicrosoftWindows Hello
Windows 11 (with TPM)

AppleiPhone XY
iOS


MacBook year size
macOS versionNo


MacBook Air year size
macOS versionNo


MacBook Pro year size
macOS versionNo

Android phone brandAndroid phone model
Android XY

SamsungS22+
Android 13

...