Create a copy of this page as a sibling and complete it as instructed below.
Describe the platform
To ensure a successful test of the authenticator, please follow these steps:
...
Tester: | |
---|---|
}}Date: Use '//' to input date{15{ |
|
}}Authenticator (or device) vendor: Yubico, Apple, Dell, HP, Android phone brand...{317{ | Lenovo |
}}Authenticator (or device) model: YubiKey 5 NFC, iPhone 13, PC model name, MacBook year size, MacBook Air year size, MacBook Pro year size...{20{ | IdeaPad 720S 14in |
}}OS and its version: iOS 13, macOS 10.5.8, Windows 10 22H2, Windows 11 22H2, Android 13...{25{ | Windows 11 22H2 |
}}Browser and its version: Chrome 114, Firefox 114...{30{ | Chrome 114.0.5735.199 |
}}I registered a PIN/password/finger/face in the authenticator before the session: | Yes |
...
- Be prepared to capture screenshots of each system/browser dialogue that appears. Later in this process, you will register a passkey multiple times.
Capture the platform or browser passkey options
- If there are any options or settings related to "passkeys", "security keys" or similar in your OS/device/spaceship settings (related to the authenticator you are going to use), capture screenshots and paste or attach them here.
- If you are using a password manager, capture its passkey-related options.
- If you are using a browser supporting passkeys, capture its options instead.
- If f you are using an operating system to manage passkeys, capture its options instead.
...
These are exemplary paths. You need to screenshot the only passkey-relates relateD options. Please paste screenshots in or outside this table as suitable:
Get diagnostics
- Open https://webauthntest.identitystandards.io/.
- Click the "..." button.
}}Copy-paste the diagnostic results on the right as text (rows are labelled the same): Platform authenticator (isUVPAA) Conditional Mediation (Autofill UI) CTAP2 support (Firefox) {40{ | Platform authenticator (isUVPAA)Available Conditional Mediation (Autofill UI)Supported CTAP2 support (Firefox)Not defined |
---|
}}
Set repeated settings
- Click the "+" button to create a passkey. Choose the following values:
- RP Info: This domain
- User Info: Bob
- Attachment: Undefined
- Require Resident Key: True
- Resident Key (L2): Required
It should look like this:
Create passkeys using various settings
- Capture and paste below the screenshot of various prompts, screens, dialogues, questions or messages that show up during passkey registration as you encounter them.
- If some options are offered, snapshot them as well, but do not change anything.
- Capture screenshots at each step of the first passkey creation.
- Also, capture screenshots when new screens appear during subsequent passkey creations and add them here.
- Try not to duplicate screenshots of the same steps, as interactions will likely look similar.
If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.
- You can add a note to a screenshot if you encounter an error or find something interesting.
...
Seq1 | In Chrome | After switching to Fingerprint | Second time | |||
Seq2 (just new screens) | On Use ES***, Use EdDSA | After Cancel | ||||
Seq3 (just new screens) | Chrome on timeout of the creation form | |||||
Seq4 (just new screens) |
Place one row after each?
Test User Verification
- Select User Verification: Discouraged and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
- Select User Verification: Required and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
- Note that the latest result is the rightmost in the bottom row. You may delete already pasted results.
- All authenticators should be able to register multiple passkeys for the same domain, so you do not need to delete the previously created one. Is this creation of multiple passkeys or an override of the old one?It is likely that the passkeys you create will override each other since they are for the same domain and use the same user name "bob@example.com").
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
}}
Test Attestation
- Select Attestation: Enterprise and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
- If none of the previous four tries worked,:
- Select Attestation: Undefined and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
- Otherwise, skip this step???.
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
- If Attestation: Direct worked, select it. Otherwise, if Attestation: Indirect worked, select it. What about None? Otherwise, select Attestation: Undefined.Should they say which they used?
Test CredProtect Extension
- Select CredProtect Extension: UVOptionaland click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
- If none of the previous three tries worked,:
- Select CredProtect Extension: Undefinedand click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
- Otherwise, skip this step???.
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
- Select CredProtect Extension: Undefined (if not selected already).
Test cryptography
- Uncheck all the following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA.
- Check Use ES256 and click CREATE.
- Follow the requested steps to create a passkey, then copy-paste the result from the web app.
...
Copy-paste the result on the right: | bob@example.comCredential ID RP ID AAGUID Credential Registration Data [more details] Last Authentication Data [more details] |
---|
...
Copy-paste the result on the right: | Unsupported, required security key |
---|
}}
Conclusion
Do you have any additional observations or comments related to the entire procedure:{125{ | The same as for Firefox, except for the extra first screen. It would be interesting to try to select eg ES512 or EdDSA and also RS256 and see what a security keay would choose. |
---|
}}
- Please , do not forget to paste any pending screenshots in the above tables.
- You may also paste the screenshot with the passkey(s) created during this test. The list of created passkeys is usually shown along with platform or browser passkey options that you were already asked to screenshot.