You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Create a copy of this page as a sibling and fill in that copy as instructed below.

Describe the platform

To ensure a successful test of the authenticator, please follow these steps:

  • For this test you need a computer or mobile device and a hardware or software authenticator
    • It may be a hardware authenticator, such as a YubiKey. It may be:
    • Sperating system authenticator, such as Touch ID or Windows Hello.
    • Software authenticator, such as tpm-fido.
    • Password manager with passkey support, such as Dashlane.
  • The actions performed during this test are parts of regular usage and should not affect it in any way. However, you may decide to use a brand-new authenticator, reset or clear it to avoid any conflicts during the test.
  • If necessary, delete the passkey that you create during this testing if it prevents you from creating it again. This should not happen, but if it does, please provide a screenshot and an accompanying note. If you are willing to, reset the authenticator's settings (e.g., disable PIN, unregister fingerprint).
  • Then don't test it, or fill "yes" into "I registered a PIN/password/finger/face in the authenticator before the session".
  • Fill in the details in the table below:

Tester:
@ (name yourself){10{


}}Date:
Use '//' wiki date{15{
}}Authenticator (or device) vendor:
Yubico, Apple, Dell, HP, Android phone brand...{3{
}}Authenticator (or device) model:
YubiKey 5, iPhone 13, PC model name, MacBook year size, MacBook Air year size, MacBook Pro year size...{20{
}}OS and its version:
iOS 13, macOS 10.5.8, Windows 10 22h2, Windows 11 22h2, Android 13...{25{


}}Browser and its version:
Chrome 114, Firefox 114...{30{
}}I registered a PIN/password/finger/face in the authenticator before the session:

Enter yes or no{35{


}}

  • Be prepared to capture screenshots of each system/browser dialogue that appears. Later in this process, you will register a passkey multiple times.

Capture the platform or browser passkey options

  • If there are any options or settings related to "passkeys", "security keys" or similar in your OS/device/spaceship settings (related to the authenticator you are going to use), capture screenshots and attach them here.
    • If there are password manager options, only capture them.
    • If there are browser options, capture them instead.
    • If there are operating system options, capture them instead.

This is an exemplary path, screenshot only the screen(s) with passkey options (the last one below):

Paste system options screenshots on the right:


Get diagnostics

}}Copy-paste the diagnostic results on the right as text (rows are labelled the same):

Platform authenticator (isUVPAA):

Conditional Mediation (Autofill UI):

CTAP2 support (Firefox):

{40{


}}

Set repeated settings

  • Click the "+" button to create a passkey. Choose the following values:
    • RP Info: This domain
    • User Info: Bob
    • Attachment: undefined
    • Require Resident Key: true
    • Resident Key (L2): required

It should look like this:

Create passkeys using various settings

If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.

Capture screenshots during the first test in each step, plus any time a new screen appears in any other test.

  • Capture and paste below the screenshot of various prompts, screens, dialogues, questions or messages that show up during passkey registration as you encounter them.
    • If some options are offered, snapshot them as well, but do not change anything.
    • There is no need to repeat similar screenshots, you can also add a text note if find an error or something interesting.
    • As you see additional screens during subsequent interactions, just add them here. Usually, interactions will look mostly the same, so there is no need to take duplicate screenshots.

Paste screenshots here in this table or as otherwise suitable:

















Test User Verification

  • Select User Verification: Discouraged and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported if there was an error{45{


}}

  • Select User Verification: Required and click CREATE.


  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put unsupported if there was an error{50{


}}

Test Attestation

  • Select Attestation: Enterprise and click CREATE.
    1. Copy-paste the resulting registration data into row 3. Attestation: Enterprise, or input "unsupported" if there was an error.
  • Select Attestation: Direct and click CREATE.
    1. Copy-paste the resulting registration data into row 4. Attestation: Direct, or input "unsupported" if there was an error.
  • Select Attestation: Indirect and click CREATE.
    1. Copy-paste the resulting registration data into row 5. Attestation: Indirect, or input "unsupported" if there was an error.
  • Select Attestation: None and click CREATE.
    1. Copy-paste the resulting registration data into row 6. Attestation: None, or input "unsupported" if there was an error.
  • If none of the previous four tries worked, select Attestation: Undefined and click CREATE.
    1. Copy-paste the resulting registration data into row 6. Attestation: None, or input "unsupported" if there was an error.
  • If Attestation: Direct worked, select it; otherwise, if Attestation: Indirect worked, select it; otherwise select Attestation: Undefined.

Test CredProtect Extension

  • Select CredProtect Extension: userVerificationOptional and click CREATE.
    1. Copy-paste the resulting registration data into row 7. CredProtect Extension: userVerificationOptional, or input "unsupported" if there was an error.
  • Select CredProtect Extension: userVerificationOptionalWithCredentialIDList and click CREATE.
    1. Copy-paste the resulting registration data into row 8. CredProtect Extension: userVerificationOptionalWithCredentialIDList, or input "unsupported" if there was an error.
  • Select CredProtect Extension: userVerificationRequired and click CREATE.
    1. Copy-paste the resulting registration data into row 9. CredProtect Extension: userVerificationRequired, or input "unsupported" if there was an error.
  • If none of the previous three tries worked, select CredProtect Extension: Undefined and click CREATE.
    1. Copy-paste the resulting registration data into row 7. CredProtect Extension: userVerificationOptional, or input "unsupported" if there was an error.
  • Select CredProtect Extension: Undefined (if not selected already).

Test cryptography

  • Uncheck all the following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA.
  • Check Use ES256 and click CREATE.
    1. Copy-paste the resulting registration data into row 10. ES256, or input "unsupported" if there was an error.
  • Uncheck UseES256, check Use ES384 and click CREATE.
    1. Copy-paste the resulting registration data into row 11. ES384, or input "unsupported" if there was an error.
  • Uncheck UseES384, check Use ES512 and click CREATE.
    1. Copy-paste the resulting registration data into row 12. ES512, or input "unsupported" if there was an error.
  • Uncheck UseES512, check Use RS256 and click CREATE.
    1. Copy-paste the resulting registration data into row 13. RS256, or input "unsupported" if there was an error.
  • Uncheck UseRS256, check Use EdDSA and click CREATE.
    1. Copy-paste the resulting registration data into row 14. EdDSA, or input "unsupported" if there was an error.

I would skip this, and if needed, place some identifying labels above for easier extraction from test results pages.

The results will be aggregated into the summarised table below.

Platform authenticator (isUVPAA)
Conditional Mediation (Autofill UI)
CTAP2 support (Firefox)

1. User Verification: Discouraged


2. User Verification: Required
3. Attestation: Enterprise
4. Attestation: Direct
5. Attestation: Indirect
6. Attestation: None
7. CredProtect Extension: userVerificationOptional
8. CredProtect Extension: userVerificationOptionalWithCredentialIDList
9. CredProtect Extension: userVerificationRequired
10. ES256
11. ES384
12. ES512
13. RS256
14. EdDSA
  • No labels