Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Create a copy of this page as a sibling and complete it as instructed below.

Describe the platform

To ensure a successful test of the authenticator, please follow these steps:

  • For this test, you need a computer or mobile device and a hardware or software authenticator. It may be:
    • Hardware authenticator, such as YubiKey.
    • Operating system authenticator, such as Touch ID or Windows Hello.
    • Software authenticator, such as tpm-fido.
    • Password manager with passkey support, such as Dashlane.
  • The actions performed during this test are parts of regular usage and should not affect the authenticator in any way. However, you may choose to use a brand-new authenticator, reset or clear it to avoid any conflicts during the test.
  • If necessary, delete the passkey that you create during this testing if it prevents you from creating it again. This should not happen, but if it does, please provide a screenshot and an accompanying note. If you are willing to, reset the authenticator's settings (e.g., disable PIN, unregister fingerprint).
  • xx
  • Then don't test it, or fill "yes" into "I registered a PIN/password/finger/face in the authenticator before the session".
  • Fill in the details in the table below:

Tester:
@ (name yourself){10{

Branko Marovic 

}}Date:
Use '//' to input date{15{

 

}}Authenticator (or device) vendor:
Yubico, Apple, Dell, HP, Android phone brand...{317{
Lenovo
}}Authenticator (or device) model:
YubiKey 5 NFC, iPhone 13, PC model name, MacBook year size, MacBook Air year size, MacBook Pro year size...{20{
IdeaPad 720S 14in
}}OS and its version:
iOS 13, macOS 10.5.8, Windows 10 22h222H2, Windows 11 22h222H2, Android 13...{25{

Windows 11 22H2

}}Browser and its version:
Chrome 114, Firefox 114...{30{
Firefox 114
}}I registered a PIN/password/finger/face in the authenticator before the session:
Enter yes or no{35{

}}

Yes or No
(
The situation where you have not previously registered in the authenticator is interesting for checking if the passkey creation will trigger user registration.){35{

Yes

}}

  • Be prepared to capture screenshots of each system/browser dialogue that appears. Later in this process, you will register a passkey multiple times.

Capture the platform or browser passkey options

  • If there are any options or settings related to "passkeys", "security keys" or similar in your OS/device/spaceship settings (related to the authenticator you are going to use), capture screenshots and paste or attach them here.
    • If you are using a password manager, capture its passkey-related options.
    • If you are using a browser supporting passkeys, capture its options instead.
    • If f you are using an operating system to manage passkeys, capture its options instead.

This is an exemplary path, only screenshot the passkey options (the rightmost screen below):

Image Removed

Possible locations:

    • Windows 11: Settings > Accounts > Passkeys
    • iOS: Settings > Apple ID > iCloud > Passwords & Keychain
    • Chrome (Windows): Settings > Autofill and passwords > Password Manager > Manage passkeys

These are exemplary paths. You need to screenshot the only passkey-related options. Please paste screenshots in or outside this table as suitable:

Get diagnostics

Get diagnostics

  • Open https://webauthntest.identitystandards.io/.
  • Log in using any user name - this is probably just for the app's internal logging.
  • Click the Click the "..." button.
  • If there are any problems while doing the above, try another time or use another device. If the problem persists, please let us know over Slack.

}}Copy-paste the diagnostic results on the right as text (rows are labelled the same):

Platform authenticator (isUVPAA) :


Conditional Mediation (Autofill UI) :


CTAP2 support (Firefox) :


{40{

Platform authenticator (isUVPAA) Available


Conditional Mediation (Autofill UI) Not defined


CTAP2 support (Firefox) Supported

}}

Set repeated settings

  • Click the "+" button to create a passkey. Choose the following values:
    • RP Info: This domain
    • User Info: Bob
    • Attachment: undefinedUndefined
    • Require Resident Key: trueTrue
    • Resident Key (L2): requiredRequired

It should look like this:

Create passkeys using various settings


  • Capture and paste below the screenshot of various prompts, screens, dialogues, questions or messages that show up during passkey registration as you encounter them.
    • If some options are offered, snapshot them as well, but do not change anything.
    • Capture screenshots at each step of the first passkey creation.
    • Also, capture screenshots when new screens appear during subsequent passkey creations and add them here.
    • Try not to duplicate screenshots of the same steps, as interactions will likely look similar.
    • If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.

    • You can add a note to a screenshot if you encounter an error or find something interesting.

Please insert or paste screenshots in or outside this table as suitable, preferably putting the related screenshots in one row (you can place a note beneath an image in the same cell):

Seq1

Image Modified

Image Modified






Seq2 (just new screens)

on ES256

On Use ES***, Use EdDSA

Image RemovedImage Added

Image Modified

after After Cancel

...



Seq3 (just new screens)





Seq4 (just new screens)





Test User Verification

  • Select User Verification: Discouraged and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{45{

bob@example.com


Credential ID
9E26B7E94A044A728ABC94159A4C50C4C95C3C4A9AA3C9FCDFD579D6E6FD0A0D

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

...

  • Select User Verification: Required and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

...

  • Note that the latest result is the rightmost in the bottom row. You may delete already pasted results.
  • All authenticators should be able to register multiple passkeys for the same domain, so you do not need to delete the previously created one. It is likely that the passkeys you create will override each other since they are for the same domain and use the same user name "bob@example.com").

Copy-paste the result on the right:
Put Unsupported if there was an error{50{

bob@example.com


Credential ID
0CCC6D88881BACA16CED184FB1B922C0C34783B2C72E11F54811896FBFB04D67

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

Test Attestation

  • Select Attestation: Enterprise and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
on the right:
Put unsupported if there was an error{50{

Copy-paste the result on the right:
Put Unsupported if there was an error{55{

bob@example.com


Credential ID
D7F528DBDABF8A5B6C60A7BA9C85044575B248E913FBE05B20BDE96C457E606D

bob@example.com

Credential ID
0CCC6D88881BACA16CED184FB1B922C0C34783B2C72E11F54811896FBFB04D67

RP ID
webauthntest.identitystandards.io

AAGUID
000000006028B017-0000B1D4-00004C02-0000B4B3-000000000000AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

Test Attestation

  • Select Attestation: Enterprise Direct and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{5560{

bob@example.com


Credential ID
D7F528DBDABF8A5B6C60A7BA9C85044575B248E913FBE05B20BDE96C457E606DB434D40FAED7B4D96AD32A11805B4D4C43EA28BE07F6CE503C177B3CEE9ABCA0

RP ID
webauthntest.identitystandards.io

AAGUID
6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: none packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • Select Attestation: Direct Indirect and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{6065{

bob@example.com


Credential ID
B434D40FAED7B4D96AD32A11805B4D4C43EA28BE07F6CE503C177B3CEE9ABCA0569A7E5B70B46FA2A3ACA4C6A3C147483D1ABD61EFE48340AFAF34B3A51FB883

RP ID
webauthntest.identitystandards.io

AAGUID
6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • Select Attestation: Indirect None and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{6570{

bob@example.com


Credential ID
569A7E5B70B46FA2A3ACA4C6A3C147483D1ABD61EFE48340AFAF34B3A51FB883E6D4C54648060D82E569C876C6DBBF3EE09669B65496406017D837189753ACED

RP ID
webauthntest.identitystandards.io

AAGUID
6028B01700000000-B1D40000-4C020000-B4B30000-AFCDAFC96BB2000000000000

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: packed none (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • If none of the previous four tries worked:
    • Select Attestation:
    None
    • Undefined and click CREATE.
    • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
  • Otherwise, skip this step.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{7075{

bob@example.com


Credential ID
E6D4C54648060D82E569C876C6DBBF3EE09669B65496406017D837189753ACED584516D03A66476A3A677932DB9283C3965279F3EAB732FBE50E6E7DA445966B

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • If Attestation: Direct worked, select it. Otherwise, if Attestation: Indirect worked, select it. Otherwise, select Attestation: Undefined.

Test CredProtect Extension

  • Select CredProtect Extension: UVOptional none of the previous four tries worked,Select Attestation: Undefined and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{7580{

bob@example.com


Credential ID
584516D03A66476A3A677932DB9283C3965279F3EAB732FBE50E6E7DA445966B9C054149C58125BE843143366B4B49613509B61CFE19598FDC76B2AA0622EEA4

RP ID
webauthntest.identitystandards.io

AAGUID
000000006028B017-0000B1D4-00004C02-0000B4B3-000000000000AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: none packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • If Attestation: Direct worked, select it. Otherwise, if Attestation: Indirect worked, select it. Otherwise, select Attestation: Undefined.

...

  • Select CredProtect Extension: UVOptionalUVOptionalWithCredIDListand click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{8085{

bob@example

bob@xample.com


Credential ID
9C054149C58125BE843143366B4B49613509B61CFE19598FDC76B2AA0622EEA49298B5142D3342A5C29A96F0B6CC08BAA979ABA5AE504D3955B088F55921261F

RP ID
webauthntest.identitystandards.io

AAGUID
6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

...

  • Select CredProtect Extension: UVOptionalWithCredIDListUVRequiredand click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{8590{

bob@xample

bob@example.com


Credential ID
9298B5142D3342A5C29A96F0B6CC08BAA979ABA5AE504D3955B088F55921261F5B79C4C99D32AE86009ED944BA44B240730D341D2A22408E975F3B612FA9B5E7

RP ID
webauthntest.identitystandards.io

AAGUID
6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • If none of the previous three tries worked:
    • Select CredProtect Extension:
    UVRequired
    • Undefinedand click CREATE.
    • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
  • Otherwise, skip this step.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{9095{

bob@example.com


Credential ID
5B79C4C99D32AE86009ED944BA44B240730D341D2A22408E975F3B612FA9B5E7DC36850DFC6E6768FB4ED82EFAA2EF4C0C9AD9E1C04C6617A65A16C07FA9AE85

RP ID
webauthntest.identitystandards.io

AAGUID
6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

...

  • Select CredProtect Extension: Undefinedand click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

...

Copy-paste the result on the right:
Put unsupported if there was an error{95{

  • : Undefined (if not selected already).

Test cryptography

  • Uncheck all the following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA.
  • Check Use ES256 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{100{

Unsupported
Reqiredsecurity key, I chose 'Cancel'

}}

  • Uncheck Use ES256, check Use ES384 and

bob@example.com

Credential ID
DC36850DFC6E6768FB4ED82EFAA2EF4C0C9AD9E1C04C6617A65A16C07FA9AE85

RP ID
webauthntest.identitystandards.io

AAGUID
6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • Select CredProtect Extension: Undefined (if not selected already).

Test cryptography

  • Uncheck all the following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA.
  • Check Use ES256 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{100105{

Error - requested Unsupported
Reqiredsecurity key,   I chose 'Cancel'

}}

  • Uncheck Use ES256ES384, check Use ES384ES512 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{105110{

same as previouslyUnsupported
Reqiredsecurity key, I chose 'Cancel'

}}

  • Uncheck Use ES384ES512, check Use ES512RS256 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported Unsupported if there was an error{110{

same as previously

}}

  • Uncheck Use ES512, check Use RS256 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

...

Copy-paste the result on the right:
Put unsupported if there was an error{115{

bob@example.com

Credential ID
E913A00D2570579E2766E27362D2456D4E08A33303B5A9B9506511958CF0651D

RP ID
webauthntest.identitystandards.io

AAGUID
6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

115{

bob@example.com


Credential ID
E913A00D2570579E2766E27362D2456D4E08A33303B5A9B9506511958CF0651D

RP ID
webauthntest.identitystandards.io

AAGUID
6028B017-B1D4-4C02-B4B3-AFCDAFC96BB2

Credential Registration Data [more details]
Key Type: RSA
Discoverable Credential: true
Attestation Type: packed (unverified)
UP=1, UV=1, AT=1, ED=0, SignCount=0

Last Authentication Data [more details]
No authentications

}}

  • Uncheck Use RS256, check Use EdDSA
  • and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{120{

Error - requested security key,  I chose 'Cancel'

}}

Conclusion

Do you have any additional observations or comments related to the entire procedure:{125{


}}

  • Please do not forget to paste any pending screenshots in the above tables.
  • You may also paste the screenshot with the passkey(s) created during this test. The list of created passkeys is usually shown along with platform or browser passkey options that you were already asked to screenshot.

Last Authentication Data [more details]
No authentications

}}

  • Uncheck Use RS256, check Use EdDSA
  • and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

...

Copy-paste the result on the right:
Put unsupported if there was an error{120{

...

Error - requested key,  I chose 'Cancel'

}}

...

Thank you!