When a user creates a WebAuthn Credential, is there any way to know if it is "real", or if it was created with Chromium's WebAuthn Emulator?
https://learn.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/webauthn/
CodePudding user response:
I would recommend not to focus on this particular problem as a concern in your WebAuthn implementation. I say this for a few reasons:
- A normal end user isn't going to accidentally enable an emulated authenticator and mistakenly use it as their primary authenticator
- If a user is skilled enough to know that they can enable a virtual authenticator, then (my hope) is that they would have enough sense not to use it as their primary authenticator
When working in low assurance (consumer type) applications, then it's better to be highly permissive in the types of authenticators you allow to register - even if that means someone is using an authenticator you are not familiar with.
With that said, if you're operating in a high assurance (enterprise, high risk) application, then I would suggest you explore the concept of attestation. Attestation should allow you to attempt to identify an authenticator being used to make the determination if the credential should be allowed to register or not.
Here's a really good resource to get you primed on attestation as a concept
Here's some implementation guidance that you can use, if you decide that you need to manage the types of authenticators being registered to your application.
Hope this helps