Create a copy of this page as a sibling and complete it as instructed below. Please do not disturb markers such as {10{ and }}.
Describe the platform
To ensure a successful test of the authenticator, please follow these steps:
- For this test, you need a computer or mobile device and a hardware or software authenticator. It may be:
- Hardware authenticator, such as YubiKey.
- Operating system authenticator, such as Touch ID or Windows Hello.
- Software authenticator, such as tpm-fido.
- Password manager with passkey support, such as Dashlane.
- The actions performed during this test are parts of regular usage and should not affect the authenticator in any way. However, you may choose to use a brand-new authenticator, reset or clear it to avoid any conflicts during the test.
- If necessary, delete the passkey that you create during this testing if it prevents you from creating it again. This should not happen, but if it does, please provide a screenshot and an accompanying note. If you are willing to, reset the authenticator's settings (e.g., disable PIN, unregister fingerprint).
- Fill in the details in the table below:
Tester: | |
---|---|
}}Date: Use '//' to input date{15{ |
|
}}Authenticator (or device) vendor: Yubico, Apple, Dell, HP, Android phone brand...{17{ | Apple |
}}Authenticator (or device) model: YubiKey 5 NFC, iPhone 13, PC model name, MacBook year size, MacBook Air year size, MacBook Pro year size...{20{ | iPhone 7 |
}}OS and its version: iOS 13, macOS 10.5.8, Windows 10 22H2, Windows 11 22H2, Android 13...{25{ | iOS 15.7.8 |
}}Browser and its version: Chrome 114, Firefox 114...{30{ | Safari |
}}I registered a PIN/password/finger/face in the authenticator before the session: Yes or No (The situation where you have not previously registered in the authenticator is interesting for checking if the passkey creation will trigger user registration.){35{ | Yes |
}}
- Be prepared to capture screenshots of each system/browser dialogue that appears. Later in this process, you will register a passkey multiple times.
Capture the platform or browser passkey options
- If there are any options or settings related to "passkeys", "security keys" or similar in your OS/device/spaceship settings (related to the authenticator you are going to use), capture screenshots and paste or attach them here.
- If you are using a password manager, capture its passkey-related options.
- If you are using a browser supporting passkeys, capture its options instead.
- If you are using an operating system to manage passkeys, capture its options instead.
Possible locations:
- Windows 11: Settings > Accounts > Passkeys
- iOS: Settings > Apple ID > iCloud > Passwords & Keychain
- Chrome (Windows): Settings > Autofill and passwords > Password Manager > Manage passkeys
These are exemplary paths. You need to screenshot the only passkey-related options. Please paste screenshots in or outside this table as suitable:
Get diagnostics
- Open https://webauthntest.identitystandards.io/.
- Log in using any user name - this is probably just for the app's internal logging.
- Click the "..." button.
- If there are any problems while doing the above, try another time or use another device. If the problem persists, please let us know over Slack.
}}Copy-paste the diagnostic results on the right as text (rows are labelled the same): Platform authenticator (isUVPAA) Conditional Mediation (Autofill UI) CTAP2 support (Firefox) {40{ | Available Not defined Not defined |
---|
}}
Set repeated settings
- Click the "+" button to create a passkey. Choose the following:
- RP Info: This domain
- User Info: Bob
- Attachment: Undefined
- Require Resident Key: True
- Resident Key (L2): Required
It should look like this:
Create passkeys using various settings
- Capture and paste below the screenshot of various prompts, screens, dialogues, questions or messages that show up during passkey registration as you encounter them.
- If some options are offered, snapshot them as well, but do not change anything.
- Capture screenshots at each step of the first passkey creation.
- Also, capture screenshots when new screens appear during subsequent passkey creations and add them here.
- Try not to duplicate screenshots of the same steps, as interactions will likely look similar.
If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.
- You can add a note to a screenshot if you encounter an error or find something interesting.
- If you are wonderinf wgy
Please insert or paste screenshots in this table as suitable, preferably putting the related screenshots in one row (you can place a note beneath an image in the same cell):
Seq1 | ||||||
Seq2 (just new screens) | ||||||
Seq3 (just new screens) | ||||||
Seq4 (just new screens) |
Test User Verification
- Select User Verification: Discouraged and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Credential ID 2994EAC303D71F2E7C13EFB43ABE11BF05A85594 RP ID webauthntest.identitystandards.io AAGUID 00000000-0000-0000-0000-000000000000 Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: none (unverified) UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|
}}
- Select User Verification: Required and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
- Note that the latest result is the rightmost in the bottom row. You may delete already pasted results.
- All authenticators should be able to register multiple passkeys for the same domain, so you do not need to delete the previously created one. It is likely that the passkeys you create will override each other since they are for the same domain and use the same user name "bob@example.com").
Copy-paste the result on the right: | Credential ID A82BFB447A1BEAFE854018E3B7C59720AC9138B3 RP ID webauthntest.identitystandards.io AAGUID 00000000-0000-0000-0000-000000000000 Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: none (unverified) UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|
}}
Test Attestation
- Select Attestation: Enterprise and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Unsupported |
---|---|
If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue: |
}}
- Select Attestation: Direct and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Credential ID BE358C1CFC791831E009761D6F077336EBF59F66 RP ID webauthntest.identitystandards.io AAGUID F24A8E70-D0D3-F82C-2937-32523CC4DE5A Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: apple UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|---|
If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue: | Require Resident Key true Authenticator Data UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Authenticator Data in Hex 0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C4500000000F24A8E70D0D3F82C293732523CC4DE5A0014BE358C1CFC791831E009761D6F077336EBF59F66A5010203262001215820470A2DA86228926D4BCE4B1B33D667B2C867A85ED546409A7C2750FBD37FA1BF2258201E10EF94BAA70BD9E163693ADF62A09DE8EEDBC37EDEAAD4D927D50FF994F6BE Public Key EC key: A5010203262001215820470A2DA86228926D4BCE4B1B33D667B2C867A85ED546409A7C2750FBD37FA1BF2258201E10EF94BAA70BD9E163693ADF62A09DE8EEDBC37EDEAAD4D927D50FF994F6BE Extension Data No extension data Attestation Statement Chain none Attestation Statement in Hex A1637835638259024730820243308201C9A0030201020206018A5EF14A5D300A06082A8648CE3D0403023048311C301A06035504030C134170706C6520576562417574686E204341203131133011060355040A0C0A4170706C6520496E632E3113301106035504080C0A43616C69666F726E6961301E170D3233303930333036343632365A170D3233303930363036343632365A3081913149304706035504030C4031326536333032323264636333636137393836373233613830383963623837383665633162303430346164663531633562376165353066386336333863613738311A3018060355040B0C114141412043657274696669636174696F6E31133011060355040A0C0A4170706C6520496E632E3113301106035504080C0A43616C69666F726E69613059301306072A8648CE3D020106082A8648CE3D03010703420004470A2DA86228926D4BCE4B1B33D667B2C867A85ED546409A7C2750FBD37FA1BF1E10EF94BAA70BD9E163693ADF62A09DE8EEDBC37EDEAAD4D927D50FF994F6BEA3553053300C0603551D130101FF04023000300E0603551D0F0101FF0404030204F0303306092A864886F76364080204263024A1220420C5D6572A10CB9E0DE47691642899BF0CC4665080AC7717533900AD3CA64AC7E6300A06082A8648CE3D0403020368003065023100A1C0717C9DA423BD0B67CE4323E7C75521BB0586D00B29D25A98CD1DAB1453217EDB4A66D57C2E23AFD3ED480A3C8D7702306EA512BF4CCAB1EE7EFCE7D503C711D419E72F49A6CC15FF4EE9846C175B670C5BC683586C705ED8C599AB4BC5D5BA0B59023830820234308201BAA003020102021056255395C7A7FB40EBE228D8260853B6300A06082A8648CE3D040303304B311F301D06035504030C164170706C6520576562417574686E20526F6F7420434131133011060355040A0C0A4170706C6520496E632E3113301106035504080C0A43616C69666F726E6961301E170D3230303331383138333830315A170D3330303331333030303030305A3048311C301A06035504030C134170706C6520576562417574686E204341203131133011060355040A0C0A4170706C6520496E632E3113301106035504080C0A43616C69666F726E69613076301006072A8648CE3D020106052B8104002203620004832E872F261491810225B9F5FCD6BB6378B5F55F3FCB045BC735993475FD549044DF9BFE19211765C69A1DDA050B38D45083401A434FB24D112D56C3E1CFBFCB9891FEC0696081BEF96CBC77C88DDDAF46A5AEE1DD515B5AFAAB93BE9C0B2691A366306430120603551D130101FF040830060101FF020100301F0603551D2304183016801426D764D9C578C25A67D1A7DE6B12D01B63F1C6D7301D0603551D0E04160414EBAE82C4FFA1AC5B51D4CF24610500BE63BD7788300E0603551D0F0101FF040403020106300A06082A8648CE3D0403030368003065023100DD8B1A3481A5FAD9DBB4E7657B841E144C27B75B876A4186C2B1475750337227EFE554457EF648950C632E5C483E70C102302C8A6044DC201FCFE59BC34D2930C1487851D960ED6A75F1EB4ACABE38CD25B897D0C805BEF0C7F78B07A571C6E80E07 |
}}
- Select Attestation: Indirect and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Credential ID F33341AF7AC661E5612CFF640C82D4E09078A70E RP ID webauthntest.identitystandards.io AAGUID F24A8E70-D0D3-F82C-2937-32523CC4DE5A Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: apple UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|---|
If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue: | Require Resident Key true Authenticator Data UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Authenticator Data in Hex 0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C4500000000F24A8E70D0D3F82C293732523CC4DE5A0014F33341AF7AC661E5612CFF640C82D4E09078A70EA50102032620012158208E90D3EB52D338ED2D6795E7E3B3CD105717459BE4982AB26F92C282BCA938F9225820F3494565A0F9DB465E6B0D601CA88AD75ABFE60125C56C5EDD7468945966BF8D Public Key EC key: A50102032620012158208E90D3EB52D338ED2D6795E7E3B3CD105717459BE4982AB26F92C282BCA938F9225820F3494565A0F9DB465E6B0D601CA88AD75ABFE60125C56C5EDD7468945966BF8D Extension Data No extension data Attestation Statement Chain none Attestation Statement in Hex A1637835638259024830820244308201C9A0030201020206018A5EEF7CB5300A06082A8648CE3D0403023048311C301A06035504030C134170706C6520576562417574686E204341203131133011060355040A0C0A4170706C6520496E632E3113301106035504080C0A43616C69666F726E6961301E170D3233303930333036343432375A170D3233303930363036343432375A3081913149304706035504030C4063306564623964376534376439323731663966383035626637363063323935353865653333643536636632633837313462353133383964343062623932343866311A3018060355040B0C114141412043657274696669636174696F6E31133011060355040A0C0A4170706C6520496E632E3113301106035504080C0A43616C69666F726E69613059301306072A8648CE3D020106082A8648CE3D030107034200048E90D3EB52D338ED2D6795E7E3B3CD105717459BE4982AB26F92C282BCA938F9F3494565A0F9DB465E6B0D601CA88AD75ABFE60125C56C5EDD7468945966BF8DA3553053300C0603551D130101FF04023000300E0603551D0F0101FF0404030204F0303306092A864886F76364080204263024A122042029469CA853694DBEBC7946661D4DE70F840512DA4D1520D0CE8B4E72E17CA761300A06082A8648CE3D0403020369003066023100E4FC0FBE9B27D0C53BC20125AFDD451825A347F7A51333D488CE43806600B3D5BF6491D526B4F24D68BCEA834C4179DF02310084CF6D6476D179FFAB8271AF41B70E4463654F0876FBB211858C241B9CA8C314A95133B9A8ED1DCE93F00D4E2A187FEB59023830820234308201BAA003020102021056255395C7A7FB40EBE228D8260853B6300A06082A8648CE3D040303304B311F301D06035504030C164170706C6520576562417574686E20526F6F7420434131133011060355040A0C0A4170706C6520496E632E3113301106035504080C0A43616C69666F726E6961301E170D3230303331383138333830315A170D3330303331333030303030305A3048311C301A06035504030C134170706C6520576562417574686E204341203131133011060355040A0C0A4170706C6520496E632E3113301106035504080C0A43616C69666F726E69613076301006072A8648CE3D020106052B8104002203620004832E872F261491810225B9F5FCD6BB6378B5F55F3FCB045BC735993475FD549044DF9BFE19211765C69A1DDA050B38D45083401A434FB24D112D56C3E1CFBFCB9891FEC0696081BEF96CBC77C88DDDAF46A5AEE1DD515B5AFAAB93BE9C0B2691A366306430120603551D130101FF040830060101FF020100301F0603551D2304183016801426D764D9C578C25A67D1A7DE6B12D01B63F1C6D7301D0603551D0E04160414EBAE82C4FFA1AC5B51D4CF24610500BE63BD7788300E0603551D0F0101FF040403020106300A06082A8648CE3D0403030368003065023100DD8B1A3481A5FAD9DBB4E7657B841E144C27B75B876A4186C2B1475750337227EFE554457EF648950C632E5C483E70C102302C8A6044DC201FCFE59BC34D2930C1487851D960ED6A75F1EB4ACABE38CD25B897D0C805BEF0C7F78B07A571C6E80E07 |
}}
- Select Attestation: None and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Credential ID 759AC4F0E9EE82090BDAC606C2E097647417E6E7 RP ID webauthntest.identitystandards.io AAGUID 00000000-0000-0000-0000-000000000000 Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: none (unverified) UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|
}}
- If none of the previous four tries worked:
- Select Attestation: Undefined and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
- Otherwise, skip this step.
Copy-paste the result on the right: | (skipped) |
---|
}}
- If Attestation: Direct worked, select it. Otherwise, if Attestation: Indirect worked, select it. Otherwise, select Attestation: Undefined.
Test CredProtect Extension
- Select CredProtect Extension: UVOptional and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Credential ID D349E9F8BF3ACC39FC2275B85BF8BF1E26771E15 RP ID webauthntest.identitystandards.io AAGUID F24A8E70-D0D3-F82C-2937-32523CC4DE5A Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: apple UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|
}}
- Select CredProtect Extension: UVOptionalWithCredIDList and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Credential ID 3C5651FE79CE5A026EBE2B590CB8235F6637B38C RP ID webauthntest.identitystandards.io AAGUID F24A8E70-D0D3-F82C-2937-32523CC4DE5A Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: apple UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|
}}
- Select CredProtect Extension: UVRequired and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Credential ID C7A243122D520409114D8D64002D86CDCEE206DD RP ID webauthntest.identitystandards.io AAGUID F24A8E70-D0D3-F82C-2937-32523CC4DE5A Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: apple UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|
}}
- If none of the previous three tries worked:
- Select CredProtect Extension: Undefined and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
- Otherwise, skip this step.
Copy-paste the result on the right: | (skipped) |
---|
}}
- Select CredProtect Extension: Undefined (if not selected already).
Test cryptography
- Uncheck all the following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA.
- Check Use ES256 and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Credential ID A946149C21F470E270D2A07E49E139075BA22D01 RP ID webauthntest.identitystandards.io AAGUID F24A8E70-D0D3-F82C-2937-32523CC4DE5A Credential Registration Data [more details] Key Type: EC Discoverable Credential: true Attestation Type: apple UP=1, UV=1, BE=0, BS=0, AT=1, ED=0, SignCount=0 Last Authentication Data [more details] No authentications |
---|
}}
- Uncheck Use ES256, check Use ES384 and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Unsupported (fingerprint confirmation is spinning indefinitely) |
---|
}}
- Uncheck Use ES384, check Use ES512 and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Unsupported (fingerprint confirmation is spinning indefinitely) |
---|
}}
- Uncheck Use ES512, check Use RS256 and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Unsupported (fingerprint confirmation is spinning indefinitely) |
---|
}}
- Uncheck Use RS256, check Use EdDSA
- and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | Unsupported (fingerprint confirmation is spinning indefinitely) |
---|
}}
Conclusion
Do you have any additional observations or comments related to the entire procedure:{125{ | Buttons in the website had to be clicked multiple times to work. After dismissing one passkey creation prompt, all further attemps were automatically denied and the page needed to be reloaded. Also, when first passkey is created, the page also needs to be reloaded to be able to create another one. The page which asks for a fingerprint cannot be screenshot (because the attempt to make a screenshot dismisses the prompt). Althought passkeys work including the autofill UI, I did not find a way to delete the passkey, they are not listed under Passwords (Keychain), where they should be. |
---|
}}
- Please do not forget to paste any pending screenshots in the above tables.
- You may also paste the screenshot with the passkey(s) created during this test. The list of created passkeys is usually shown along with platform or browser passkey options that you were already asked to screenshot.