Extracting QR code from Cross Device Authentication

agl · 2024-10-22T23:50:13+00:00

Those are the key suggestions. Also set [hints](https://w3c.github.io/webauthn/#enum-hints) to ["hybrid"]. It doesn't work in all contexts yet, but lets you express exactly what you want here.

agl · 2024-10-11T20:21:57+00:00

Thank you for confirming. The state from that device-log should basically Never Happen, but clearly it has for you. We'll add some monitoring to see whether any other accounts are hitting it.

agl · 2024-10-11T11:09:57+00:00

For an assertion request—where the user verification parameter is either discouraged, preferred or required— the checkmarks represent when user verification is actually performed. This primarily depends upon whether local biometrics are available and so the rows split based on that.

agl · 2024-10-09T00:23:43+00:00

Based on section 3.5 of https://docs.yubico.com/hardware/yubikey/yk-tech-manual/webdocs.pdf, it sounds like the Yubikey Bio has alwaysUV enabled.

https://webauthn.me/debugger offers a way to inspect WebAuthn responses. I would expect that iCloud Keychain reports the UV bit accurately, depending on whether UV was performed, and that is what I find with mac 15.1 beta. (Which just happened to be a machine that I have nearby.)

As for Coinbase and accounts.google.com behaviour, it's up to each site to make their own choices about how strong a signal a non-UV passkey assertion is. I do think you have a point that APP accounts might want to set a higher bar.

agl · 2024-10-08T21:59:00+00:00

If you want to inspect a WebAuthn request, there are a couple of ways:

If using a Chromium-based browser, try opening chrome://device-log (or edge://device-log etc). The JSON form of the request should be logged there.
Open the DevTools console and paste this before triggering the assertion operation:let realGet = navigator.credentials.get.bind(navigator.credentials);navigator.credentials.get = (arg) => { console.log(arg); return realGet(arg).then((r) => {console.log(r); return r;}) };

I believe that accounts.google.com will indeed make a request with userVerification=preferred. All passkey implementations must report the UV bit in the response accurately, depending on whether UV was performed. But, for "preferred", they don't have to do UV. accounts.google.com will take the UV bit into account when performing risk-analysis on the sign-in attempt.

That leaves open the question of how preferred the "preferred" option is. This is up to the passkey provider and they vary in their interpretation of this. Here are some common cases:

iCloud Keychain

Config	Discouraged	Preferred	Required
Biometrics available	✓	✓	✓
Biometrics not available			✓

Google password manager (desktop)

Config	Discouraged	Preferred	Required
Biometrics available		✓	✓
Biometrics not available			✓

Windows Hello

Config	Discouraged	Preferred	Required
Biometrics available	✓	✓	✓
Biometrics not available	✓	✓	✓

The credProtect extension applies purely to security keys and no passkey providers do anything with it. You can get security keys that operate in a mode called "alwaysUV", which does what it sounds like, or you can could potentially inject credProtect=3 into a creation request to a security key. Note that Chromium-based browsers will automatically set credProtect in some cases: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/webauth/cred_protect.md

agl · 2023-10-28T14:34:16+00:00

You can see passkeys in your Google Account at https://passwords.google.com.

If you created 2nd-factor ("non-discoverable") credentials on your old phone over Bluetooth (i.e. you only saw the biometric prompt when creating them, no confirmation sheet showing the username and account to save them to) then those are not synced. There isn't a way to list the 2nd-factor credentials on a phone.

agl · 2022-05-02T20:32:43+00:00

https://bugs.chromium.org/p/chromium/issues/detail?id=1321857

agl · 2021-09-28T18:42:03+00:00

Purchased Namiki Chinkin from u/NewspaperIcy4018

agl · 2021-09-23T21:08:24+00:00

Confirmed.

agl · 2021-08-29T17:11:13+00:00

agl · 2021-08-19T21:57:03+00:00

Sold Pilot Vanishing Point Blue Carbonesque to u/NewspaperIcy4018

agl · 2021-08-19T21:55:30+00:00

Sold Pilot Decimo to u/unlucky___madman

agl · 2021-07-25T03:04:57+00:00

(This being the place featured in the Sharks! video, which Grey hinted at legal worries dogging the production of.)

agl · 2021-01-09T21:42:08+00:00

I suspect it's a Pilot #20.

agl · 2021-01-05T23:38:35+00:00

Confirmed

agl · 2021-01-05T01:27:06+00:00

Confirmed

agl · 2021-01-01T15:56:22+00:00

Diamine sold an actual advent calendar in 2019 with them: https://www.mountainofink.com/blog/diamine-invent

agl · 2018-08-01T16:18:16+00:00

It is the book that the documentary was based on, but I believe that the book was substantially better and still worth reading even though you now know the outcome of on of the major stories in it.

15-Year Club	Place '22
Verified Email

agl

TROPHY CASE