...
- Prepare the authenticator that you wish to test. It is recommended to use it only for this test to avoid any conflicts. If necessary, delete the passkey and . If you are willing to, reset the authenticator's settings (e.g., disable PIN, unregister fingerprint). Sounds scary. What i I already have something on it, or had some UV method set?
- It may be a hardware authenticator, such as a YubiKey.
- It may be an operating system authenticator, such as Touch ID or Windows Hello.
- It may be a software authenticator, such as tpm-fido.
- It may be a password manager with passkey support, such as Dashlane.
- Fill in the details in the table below:
$$Tester: | test line 1 test line 2 | |
---|---|---|
$$Date: Use '//' wiki date$$ | test line 1||
$$Authenticator (or device) vendor: Yubico, Apple, Dell, HP, Android phone brand...$$ | ||
$$Authenticator (or device) model: YubiKey 5, iPhone 13, PC model name, MacBook year size, MacBook Air year size, MacBook Pro year size...$$ | test||
$$OS and its version: iOS 13, macOS 10.5.8, Windows 10 22h2, Windows 11 22h2, Android 13...$$ | test||
$$Browser and its version: Chrome 114, Firefox 114...$$ | test | |
$$I registered a PIN/password/finger/face in the authenticator before the session: (I guess that should be set for the entire session! Should there be 2 sessions per device? I also guess that phones require some form of screen lock. Perhaps require both options only for security keys?) Enter yes or no$$ |
$$
- Be prepared to capture screenshots of each system/browser dialogue that appears. Later in this process, you will register a passkey multiple times.
...
- If there are any options or settings related to "passkeys", "security keys" or similar in your OS/device/spaceship settings (related to the authenticator you are going to use), capture screenshots and attach them here.
- If there are password manager options, only capture them.
- If there are browser options, capture them instead.
- If there are operating system options, capture them instead.
...
Paste system options screenshots on the right: | test line 1
---|
Get diagnostics
- Open https://webauthntest.identitystandards.io/.
- Click the "..." button.
$$Copy-paste the diagnostic results on the right as text (rows are labeled the same, but you may have different values): Platform authenticator (isUVPAA) Available : Conditional Mediation (Autofill UI) Not defined : CTAP2 support (Firefox) Supported : $$ |
---|
$$
Set repeated settings
- Click the "+" button to create a passkey. Choose the following values:
- RP Info: This domain
- User Info: Bob
- Attachment: undefined
- Require Resident Key: true
- Resident Key (L2): required
...
If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.
Capture screenshots during the first test in each step, plus any time a new screen appears in any other test. (Usually, all tests will look the same, there is no need to take duplicate screenshots.)
Test User Verification
- Select User Verification: Discouraged and click CREATE.I think we should request screenshots at only one creation test, you choose where. Probably not here but in the next creation!!!
Paste screenshot(s) on the right: | test line 1 test line 2 test line 3 | . |
---|
- Copy-paste the result from the web app.
$$UVUCopy-paste the result on the right: | test line 1 test line 2 test line 3 |
---|
$$
...
- Select User Verification: Required and click CREATE.
- Copy-paste the result from the web app.
$$UVRCopy-paste the result on the right: | test line 1 test line 2 test line 3 |
---|
$$
...
...
AND SO ON...
Test Attestation
...
- Uncheck all the following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA.
- Check Use ES256 and click CREATE.
- Copy-paste the resulting registration data into row 10. ES256, or input "unsupported" if there was an error.
- What about Use ES256 now? Clear it?
- Copy-paste the resulting registration data into row 10. ES256, or input "unsupported" if there was an error.
- Use Uncheck UseES256, check Use ES384 and click CREATE.
- Copy-paste the resulting registration data into row 11. ES384, or input "unsupported" if there was an error.
- Check Uncheck UseES384, check Use ES512 and click CREATE.
- Copy-paste the resulting registration data into row 12. ES512, or input "unsupported" if there was an error.
- Check Uncheck UseES512, check Use RS256 and click CREATE.
- Copy-paste the resulting registration data into row 13. RS256, or input "unsupported" if there was an error.
- Check Uncheck UseRS256, check Use EdDSA and click CREATE.
- Copy-paste the resulting registration data into row 14. EdDSA, or input "unsupported" if there was an error.
...