Clarification on user gesture requirement for webauthn

Hi folks, I have a couple questions relating to the user gesture requirement on iOS, specifically regarding WebKit.

  1. From my testing, it looks like only one webauthn invocation without user gesture is allowed even if there's intervening user gestures, e.g. navigating to another page, clicking buttons, etc. I have to close Safari and reopen in order to reset the count. Is this expected behavior? It seems like it was originally supposed to be one per user navigation [1].
  2. I see the user gesture requirement was removed recently [2]. I agree with the decision, but am curious what was the context behind this move as it seems like a reversal of https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/.

[1] https://bugs.webkit.org/show_bug.cgi?id=220897

[2] https://bugs.webkit.org/show_bug.cgi?id=264444

Up vote post of bilbobaggins Down vote post of bilbobaggins
376 views
Posted by
bilbobaggins
Reply
Add a Comment

Replies

Yes the user gesture requirement was removed as of iOS 17.4 and macOS 14.4. We realized that we could provide a similar level of user protection with a much simpler mechanism that's easier for developers to understand and work with. Instead of a per-page freebie/keeping track of user gestures and cancel events/etc., there's a new rate limiting mechanism with a progressive backoff if too many requests come in close together. If you hit issues with this new rate limiter, please let us know!

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Add a Comment

We also noticed the bug and can verify that it's been fixed on safari browser with iOS 17.4. But we noticed that the similar issue still exists in our iOS app.

For user who has not registered a passkey, our sign-in page on WKWebview will use JSBridge to call native iOS API to show a password autofill option to user. And after sign-in succeeds using password autofill, we'll redirect sign-in page to the passkey registration page and the user gesture requirement bug can be still reproduced.

If the user gesture requirement fix was applied in webkit, it should work the same in context of safari and wkwebview, and the only difference in terms of our implementation would be the native iOS API call to trigger autofill in WKWebview? Could that be the cause of enforcing something similar to the user gesture requirement?

Posted by
yuxhux
Up vote reply of yuxhux Down vote reply of yuxhux
Add a Comment