How to test
To ensure a successful test of the authenticator, please follow these steps:
- Prepare the authenticator that you want wish to test. It is ideal recommended to only use it only for the test once, otherwise it might be needed to this test to avoid any conflicts. If necessary, delete the passkey and reset the authenticator's settings (e.g., disable PIN, unregister fingerprint).
- it may be a hardware authenticator, such as a YubiKey
- it may be an operating system authenticator, such as Touch ID or Windows Hello
- it may be a software authenticator, such as tpm-fido
- it may be a password manager with passkey support, such as Dashlane
- Fill details about the authenticator into the table below (vendor, model, OS, browser)
- Open https://webauthntest.identitystandards.io/. Be prepared to take capture screenshots of each system/browser dialog dialogue that appears. Try registering multiple times with all the different values mentioned below, and save the parameters used and the result each time(Later in this process, you will register a passkey multiple times).
- Click the "..." button and put down copy-paste the results of the diagnostic.diagnostic results into the result template (rows are labeled the same)
- Click the "+" button to create a passkey. Choose the following values:
- RP Info: This domain
- User Info: Bob
- Attachment: undefined
- Require Resident Key: true
- Resident Key (L2): required
- Select User Verification: Discouraged and click CREATE.
- Copy-paste the resulting registration data into row 1. User Verification: Discouraged, or input "unsupported" if there was an error.
- Select Try out these:User Verification: Discouraged/Required (the result should be identical)Required and click CREATE.
- Copy-paste the resulting registration data into row 2.
- User Verification: Required
- Attestation: Enterprise/Direct/Indirect/None (or Undefined if nothing else works)
- Leave Attestation: None and try out these:
- CredProtect Extension: userVerificationOptional/userVerificationOptionalWithCredentialIDList/userVerificationRequired (or Undefined if nothing else works)
- Reset CredProtect Extension to Undefined and try out the encryption algorithms by unchecking all checkboxes (Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA) and repeating the registration once for each algorithm (only select one algorithm at a time)
If there is an error like "Authenticator data cannot be parsed", it means that the select combination of arguments is not supported by the examined authenticator.
Fill in the detailed results in the following template:
...
- , or input "unsupported" if there was an error.
- Select Attestation: Enterprise and click CREATE.
- Copy-paste the resulting registration data into row 3. Attestation: Enterprise, or input "unsupported" if there was an error.
- Select Attestation: Direct and click CREATE.
- Copy-paste the resulting registration data into row 4. Attestation: Direct, or input "unsupported" if there was an error.
- Select Attestation: Indirect and click CREATE.
- Copy-paste the resulting registration data into row 5. Attestation: Indirect, or input "unsupported" if there was an error.
- Select Attestation: None and click CREATE.
- Copy-paste the resulting registration data into row 6. Attestation: None, or input "unsupported" if there was an error.
- If none of the previous four tries worked, select Attestation: Undefined and click CREATE.
- Copy-paste the resulting registration data into row 6. Attestation: None, or input "unsupported" if there was an error.
- If Attestation: Direct worked, select it; otherwise if Attestation: Indirect worked, select it; otherwise select Attestation: Undefined
- Select CredProtect Extension: userVerificationOptional and click CREATE.
- Copy-paste the resulting registration data into row 7. CredProtect Extension: userVerificationOptional, or input "unsupported" if there was an error.
- Select CredProtect Extension: userVerificationOptionalWithCredentialIDList and click CREATE.
- Copy-paste the resulting registration data into row 8. CredProtect Extension: userVerificationOptionalWithCredentialIDList, or input "unsupported" if there was an error.
- Select CredProtect Extension: userVerificationRequired and click CREATE.
- Copy-paste the resulting registration data into row 9. CredProtect Extension: userVerificationRequired, or input "unsupported" if there was an error.
- If none of the previous three tries worked, select CredProtect Extension: Undefined and click CREATE.
- Copy-paste the resulting registration data into row 7. CredProtect Extension: userVerificationOptional, or input "unsupported" if there was an error.
- Select CredProtect Extension: Undefined (if not selected already)
- Unchecking all following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA
- Check Use ES256 and click CREATE.
- Copy-paste the resulting registration data into row 10. ES256, or input "unsupported" if there was an error.
- Uncheck UseES256, check Use ES384 and click CREATE.
- Copy-paste the resulting registration data into row 11. ES384, or input "unsupported" if there was an error.
- Uncheck UseES384, check Use ES512 and click CREATE.
- Copy-paste the resulting registration data into row 12. ES512, or input "unsupported" if there was an error.
- Uncheck UseES512, check Use RS256 and click CREATE.
- Copy-paste the resulting registration data into row 13. RS256, or input "unsupported" if there was an error.
- Uncheck UseRS256, check Use EdDSA and click CREATE.
- Copy-paste the resulting registration data into row 14. EdDSA, or input "unsupported" if there was an error.
If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.
Create a copy of this page: https://wiki.geant.org/x/YBC-JQ and fill the table as instructed above.
The results will be aggregated into the summarised table below.
Summarised
...
1. User Verification: Discouraged
...
Then add a comment to this page with this table filled out. Results will be later aggregated into the table below.
...
results
Authenticator vendor | Authenticator model | Authenticator was setup set up for UV before the test | OS+version | browser+version | |
---|---|---|---|---|---|
Yubico | YubiKey 5 | no | |||
Yubico | YubiKey 5 | yes | |||
Microsoft | Windows Hello | Windows 10 without TPM | |||
Microsoft | Windows Hello | Windows 10 with TPM | |||
Microsoft | Windows Hello | Windows 11 (with TPM) | |||
Apple | iPhone XY | iOS | |||
MacBook year size | macOS versionNo | ||||
MacBook Air year size | macOS versionNo | ||||
MacBook Pro year size | macOS versionNo | ||||
Android phone brand | Android phone model | Android XY | |||
Samsung | S22+ | Android 13 |