[Chrome] Requested protection policy is inconsistent or incongruent with other requested parameters

[huy-yearnings]

I did this

// Rust code

let url = Url::parse("http://localhost:3000").unwrap();
let webauthn = WebauthnBuilder::new("localhost", &url)
            .unwrap()
            .rp_name("Acme")
            .build()
            .unwrap;
let (challenge_response, _) = webauthn.start_securitykey_registration(
    user_unique_id,
    "foo@example.com",
    "Chrome",
    /*exclude_credentials=*/ None,
    /*attestation_ca_list=*/ None,
    /*ui_hint_authenticator_attachment=*/ Some(AuthenticatorAttachment::CrossPlatform),
).unwrap()

// Resulting challenge response JSON

{
    "publicKey": {
        "rp": {
            "name": "Acme",
            "id": "localhost"
        },
        "user": {
            "id": "-Hf8EiJFSJCSXz4mtlTchQ",
            "name": "foo@example.com",
            "displayName": "Chrome"
        },
        "challenge": "FlP_qkvpRuAXqREykLjJCYTzdIV93OSUf1nS02d-djM",
        "pubKeyCredParams": [
            {
                "type": "public-key",
                "alg": -7
            },
            {
                "type": "public-key",
                "alg": -257
            }
        ],
        "timeout": 300000,
        "authenticatorSelection": {
            "authenticatorAttachment": "cross-platform",
            "residentKey": "discouraged",
            "requireResidentKey": false,
            "userVerification": "preferred"
        },
        "hints": [
            "securitykey"
        ],
        "attestation": "none",
        "extensions": {
            "credentialProtectionPolicy": "userVerificationRequired",
            "enforceCredentialProtectionPolicy": false,
            "uvm": true,
            "credProps": true
        }
    }
}

I expected the following

• The challenge JSON is valid argument when for navigator.credentials.create(...), and Chrome must allow user select physical security key for registration.

What actually happened (with Chrome, no error with Firefox)

• Got error from navigator.credentials.create(...): NotSupportedError: Requested protection policy is inconsistent or incongruent with other requested parameters.

Version (and git commit)

webauthn-rs = "0.5.1"

Operating System / Version

Mac

Any other comments

[Firstyear]

    "authenticatorSelection": {
        "authenticatorAttachment": "cross-platform",
        "residentKey": "discouraged",
        "requireResidentKey": false,
        "userVerification": "preferred"
    },

    "extensions": {
        "credentialProtectionPolicy": "userVerificationRequired",
        "enforceCredentialProtectionPolicy": false,
        "uvm": true,
        "credProps": true

* Got error from `navigator.credentials.create(...)`: `NotSupportedError: Requested protection policy is inconsistent or incongruent with other requested parameters.`

You have selected userVerifiation: preferred, not required.

[huy-yearnings]

You have selected userVerifiation: preferred, not required.

@Firstyear , I see, but how to customize userVerifiation ? There is no argument of start_securitykey_registration function allowing me to to that.

[Firstyear]

You can't security key is specifically second factor only, and can not be relied on for UV.

If you want UV, you need to use the passkey types.

[huy-yearnings]

@Firstyear , so it is clear that start_securitykey_registration has a bug, right? Because it generates a malformed challenge response while not allowing caller to customize.

[Firstyear]

It's not a bug, you are not intended to be able to customise the challenge as there are subtle security invariants that customisation can violate.

[huy-yearnings]

@Firstyear , I saw that two conflicting porperties "credentialProtectionPolicy": "userVerificationRequired" and "userVerification": "preferred" are set by default.

If it is not a bug, could you please advise an example that generates valid challenge response with start_securitykey_registration?