How to test
To ensure a successful test of the authenticator, please follow these steps:
- Prepare the authenticator that you want wish to test. It is ideal recommended to only use it only for the test once, otherwise it might be needed to this test to avoid any conflicts. If necessary, delete the passkey and reset the authenticator's settings (e.g., disable PIN).
- Open https://webauthntest.identitystandards.io/. Be prepared to take capture screenshots of each system/browser dialog dialogue that appears. Try registering Register multiple times with using all the different values mentioned below , and save (randomise combinations at will, or prepare several strict scenarios that ensure coverage?!). Save the parameters used and the result corresponding results for each timeregistration.
- Click the "..." button and put down record the results of the diagnosticdiagnostic results (when, where, how to record?).
- Click the "+" button to create a passkey. Choose the following values:
- RP Info: This domain
- User Info: Bob
- Attachment: undefined
- Require Resident Key: true
- Resident Key (L2): required
- Try out thesethe following combinations:
- User Verification: Discouraged/Required (the result should be identical)
- Leave User Verification: Required and try out these:
- Attestation: Enterprise/Direct/Indirect/None (or Undefined if nothing else works)
- Leave Attestation: None and try out these:
- CredProtect Extension: userVerificationOptional/userVerificationOptionalWithCredentialIDList/userVerificationRequired (or Undefined if nothing else works)
- Reset CredProtect Extension to Undefined and try out the encryption algorithms by unchecking all checkboxes (Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA) and repeating . Repeat the registration once for each algorithm (only select , selecting one algorithm at a time.
What about using custom environments, such as those with password managers supporting passkeys? Use only vanilla ones?
It is not mentioned how the authenticator should be set up above (UV). Can it be an option on the different platforms besides Yubikey?
If there is you encounter an error message like "Authenticator data cannot be parsed", it means indicates that the select combination of arguments used is not supported by the examined authenticator being tested.
Fill in the detailed results in the following template (perhaps it is better to pre-define the authenticator setup and choices to be made and then provide clear placeholders for entering outcomes and outputs):
| Authenticator vendor | |
|---|---|
| Authenticator model (or phone/laptop model?) | |
| I have registered a PIN/fingerprint/face etc. (PIN/password or biometric) in the authenticator before the test. (shorten this label?) | yes/no |
| OS +and its versionbrowser+ | |
| Browser and its version | |
| Platform authenticator (isUVPAA) | |
| Conditional Mediation (Autofill UI) | |
| CTAP2 support (Firefox) | |
1. User Verification: Discouraged | |
| 2. User Verification: Required | |
| 3. Attestation: Enterprise | |
| 4. Attestation: Direct | |
| 5. Attestation: Indirect | |
| 6. Attestation: None | |
| 7. CredProtect Extension: userVerificationOptional | |
| 8. CredProtect Extension: userVerificationOptionalWithCredentialIDList | |
| 9. CredProtect Extension: userVerificationRequired | |
| 10. ES256 | |
| 11. ES384 | |
| 12. ES512 | |
| 13. RS256 | |
| 14. EdDSA | |
| Screenshot(s) Attach screenshots of the system/browser dialog(s)dialogues (where/how? - Better to use a GDoc?) |
Add Then add a comment to this the page with this the completed table filled out. Results The results will be later aggregated into the summarised table below.
What about trying or at least screenshotting platform-specific passkey options that might be offered during registration? Is there anything else we are interested in? E.g.
...
, if several user identities (existing on the device) are selectable here, per passkey single device use of a passkey (i.e. forbidding passkey syncing by user), user notes about passkey...?
Are we interested in the platform's general options, like those on the last screen here?
I guess that we won't be testing sign-in features supported by the platform, as these may easily change and others will be testing them anyway!?
Summarised results
| Authenticator vendor | Authenticator model | Authenticator was setup set up for UV before the test | OS+version | browser+version | |
|---|---|---|---|---|---|
| Yubico | YubiKey 5 | no | |||
| Yubico | YubiKey 5 | yes | |||
| Microsoft | Windows Hello | Windows 10 without TPM | |||
| Microsoft | Windows Hello | Windows 10 with TPM | |||
| Microsoft | Windows Hello | Windows 11 (with TPM) | |||
| Apple | iPhone XY | iOS | |||
| MacBook year size | macOS versionNo | ||||
| MacBook Air year size | macOS versionNo | ||||
| MacBook Pro year size | macOS versionNo | ||||
| Android phone brand | Android phone model | Android XY | |||
| Samsung | S22+ | Android 13 |