How to test
- Prepare the authenticator that you want to test. It is ideal to only use it for the test once, otherwise it might be needed to delete the passkey and reset the authenticator's settings (e.g. disable PIN).
- Open https://webauthntest.identitystandards.io/ Be prepared to take screenshots of each system/browser dialog that appears. Try registering multiple times with all the different values mentioned below, and save the parameters used and the result each time.
- Click the "+" button to create a passkey. Choose the following values:
- RP Info: This domain
- User Info: Bob
- Attachment: undefined
- Require Resident Key: true
- Resident Key (L2): required
- Try out these:
- User Verification: Discouraged/Required (the result should be identical)
- Leave User Verification: Required and try out these:
- Attestation: Enterprise/Direct/Indirect/None (or Undefined if nothing else works)
- Leave Attestation: None and try out these:
- CredProtect Extension: userVerificationOptional/userVerificationOptionalWithCredentialIDList/userVerificationRequired (or Undefined if nothing else works)
- Reset CredProtect Extension to Undefined and try out the encryption algorithms by unchecking all checkboxes (Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA) and repeating the registration once for each algorithm (only select one algorithm at a time)
If there is an error like "Authenticator data cannot be parsed", it means that the select combination of arguments is not supported by the examined authenticator.
Then add send the results / add them to the table below.
Results
Authenticator vendor | Authenticator model | Authenticator was setup for UV before test | OS+version | browser+version | |
---|---|---|---|---|---|
Yubico | YubiKey 5 | no | |||
Yubico | YubiKey 5 | yes | |||
Microsoft | Windows Hello | Windows 10 without TPM | |||
Microsoft | Windows Hello | Windows 10 with TPM | |||
Microsoft | Windows Hello | Windows 11 (with TPM) | |||