fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

See the id of the webauthn id on the login screen

Open mooreds opened this issue 3 years ago • 3 comments

See the id of the webauthn id on the login screen

Description

On the login screen, I see the id of the webauthn object, rather than the name I have associated with it.

Affects versions

EAP 20221020

Steps to reproduce

Use edge

Register

Try to authenticate.

See the prompt

windowspasswordstuff

See how the text says "Please sign in as CZ8N"? Shouldn't that say 'dan edge 2' which is the display name of my credential?

Expected behavior

See 'dan edge 2', the display name of my credential

Screenshots

If applicable, add screenshots to help explain your problem.

Platform

using edge ( Version 106.0.1370.47 (Official build) (64-bit) ) on windows 10 home.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Add any other context about the problem here.

mooreds avatar Oct 20 '22 20:10 mooreds

This is on Microsoft. There are two naming fields for WebAuthn credentials:

  • displayName - meant to be the primary display name for the credential. The spec states that users should be allowed to choose this value. This is the value entered during registration
  • name - meant to disambiguate credentials with the same displayName. The spec states that relying parties may allow users to choose this value

Examples given in the spec for displayName are real names. Examples (see the second bullet point) for name are email address, username, and phone number. I would expect that the UI presented by the OS would prefer the displayName over name (or display both).

Daniel and I decided to use a random 4 characters for the name by default, similar to what we do for two-factor methods. We wanted to avoid using a username or email address as these values can change within FusionAuth but are immutable on the credential itself within the authenticator. There is some discussion within the WebAuthn WG on reporting changes to a credential (such as the name) to the authenticator, but I don't think development on those features has started yet.

It may be worth discussing internally what we want to use as a default. The API allows specifying this value, but the pages we ship currently always use the random 4 characters.

spwitt avatar Oct 20 '22 21:10 spwitt

Is there a tracking bug somewhere that we could link to, if this is truly a Microsoft solution?

mooreds avatar Oct 20 '22 23:10 mooreds

I meant more that it seems odd to me that Microsoft is opting to display name in that UI rather than displayName. I haven't read that side of the spec in as much detail, so I'm not sure whether it addresses what should or may be displayed there.

It would probably be good to find a list of known issues for different browsers and operating systems. I'm guessing some things are tracked or discussed in the main WebAuthn repo on GH, but I wouldn't be surprised if many of the browsers and operating systems had separate issue tracking.

spwitt avatar Oct 20 '22 23:10 spwitt

The current version of Safari also displays the name rather than the displayName. We may want to reconsider a different value for name.

image

I had originally used the user's loginId (email or username) for this value, but @robotdan had concerns about the fact that a user can change their email or username in FusionAuth while the value on the credential within the authenticator is fixed.

There are proposed API changes to allow reporting changes to name or displayName to an authenticator, but it sounds like it would require changes to both WebAuthn and CTAP2.

  • https://github.com/w3c/webauthn/issues/1779
  • https://github.com/w3c/webauthn/issues/1637

spwitt avatar Nov 03 '22 14:11 spwitt

Internal

  • https://github.com/FusionAuth/fusionauth-app/pull/157

spwitt avatar Dec 05 '22 15:12 spwitt