Describe the platform

To ensure a successful test of the authenticator, please follow these steps:

  • For this test, you need a computer or mobile device and a hardware or software authenticator. It may be:
    • Hardware authenticator, such as YubiKey.
    • Operating system authenticator, such as Touch ID or Windows Hello.
    • Software authenticator, such as tpm-fido.
    • Password manager with passkey support, such as Dashlane.
  • The actions performed during this test are parts of regular usage and should not affect the authenticator in any way. However, you may choose to use a brand-new authenticator, reset or clear it to avoid any conflicts during the test.
  • If necessary, delete the passkey that you create during this testing if it prevents you from creating it again. This should not happen, but if it does, please provide a screenshot and an accompanying note. If you are willing to, reset the authenticator's settings (e.g., disable PIN, unregister fingerprint).
  • Fill in the details in the table below:

Tester:
@ (name yourself){10{

}}Date:
Use '//' to input date{15{

 

}}Authenticator (or device) vendor:
Yubico, Apple, Dell, HP, Android phone brand...
SoloKey
Authenticator (or device) model:
YubiKey 5 NFC, iPhone 13, PC model name, MacBook year size, MacBook Air year size, MacBook Pro year size...{17{
SOMU
}}OS and its version:
iOS 13, macOS 10.5.8, Windows 10 22H2, Windows 11 22H2, Android 13...{20{

Linux Ubuntu 23.04

}}Browser and its version:
Chrome 114, Firefox 114...{30{
Chrome Version 114.0.5735.198 (Official Build) (64-bit)
}}I registered a PIN/password/finger/face in the authenticator before the session:
Yes or No
(
The situation where you have not previously registered in the authenticator is interesting for checking if the passkey creation will trigger user registration.){35{

Yes

}}

  • Be prepared to capture screenshots of each system/browser dialogue that appears. Later in this process, you will register a passkey multiple times.

Capture the platform or browser passkey options

  • If there are any options or settings related to "passkeys", "security keys" or similar in your OS/device/spaceship settings (related to the authenticator you are going to use), capture screenshots and paste or attach them here.
    • If you are using a password manager, capture its passkey-related options.
    • If you are using a browser supporting passkeys, capture its options instead.
    • If you are using an operating system to manage passkeys, capture its options instead.

Possible locations:

    • Windows 11: Settings > Accounts > Passkeys
    • iOS: Settings > Apple ID > iCloud > Passwords & Keychain
    • Chrome (Windows): Settings > Autofill and passwords > Password Manager > Manage passkeys

These are exemplary paths. You need to screenshot the only passkey-related options. Please paste screenshots in or outside this table as suitable:





















Get diagnostics

  • Open https://webauthntest.identitystandards.io/.
  • Log in using any user name - this is probably just for the app's internal logging.
  • Click the "..." button.
  • If there are any problems while doing the above, try another time or use another device. If the problem persists, please let us know over Slack.

Copy-paste the diagnostic results on the right as text (rows are labelled the same):

Platform authenticator (isUVPAA)


Conditional Mediation (Autofill UI)


CTAP2 support (Firefox)


{40{

Not available

Not supported

Not defined

}}

Set repeated settings

  • Click the "+" button to create a passkey. Choose the following:
    • RP Info: This domain
    • User Info: Bob
    • Attachment: Undefined
    • Require Resident Key: True
    • Resident Key (L2): Required

It should look like this:

Create passkeys using various settings

  • Capture and paste below the screenshot of various prompts, screens, dialogues, questions or messages that show up during passkey registration as you encounter them.
    • If some options are offered, snapshot them as well, but do not change anything.
    • Capture screenshots at each step of the first passkey creation.
    • Also, capture screenshots when new screens appear during subsequent passkey creations and add them here.
    • Try not to duplicate screenshots of the same steps, as interactions will likely look similar.
    • If you encounter an error message like "Authenticator data cannot be parsed", it indicates that the combination of arguments used is not supported by the authenticator being tested.

    • You can add a note to a screenshot if you encounter an error or find something interesting.
    • If you are wondering why

Please insert or paste screenshots in this table as suitable, preferably putting the related screenshots in one row (you can place a note beneath an image in the same cell):

Seq1





Attestation Direct




Unsupported crypt




Seq4 (just new screens)





Test User Verification

  • Select User Verification: Discouraged and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{45{

bob@example.com


Credential ID
A041B210B2BA98B07D310C924E7D5B9A5831D208A73E906BCE70A22B9B2F178268720B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C09240000

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, AT=1, ED=1, SignCount=9225

Last Authentication Data [more details]
No authentications

}}

  • Select User Verification: Required and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
  • Note that the latest result is the rightmost in the bottom row. You may delete already pasted results.
  • All authenticators should be able to register multiple passkeys for the same domain, so you do not need to delete the previously created one. It is likely that the passkeys you create will override each other since they are for the same domain and use the same user name "bob@example.com").

Copy-paste the result on the right:
Put Unsupported if there was an error{50{

bob@example.com


Credential ID
4FF9FE85C0ED9A3B8F9F25BE7F7F8F5A457FD6242B61B6D8D7286BE0FC91CE55BF420B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C19240000

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, AT=1, ED=1, SignCount=9241

Last Authentication Data [more details]
No authentications

}}

Test Attestation

  • Select Attestation: Enterprise and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{55{

bob@example.com


Credential ID
C6DD8B04DEB82934327E5EF667A7F67334FB68812D406E349607C8D6205D564DEFAC0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C28240000

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, AT=1, ED=1, SignCount=9256

Last Authentication Data [more details]
No authentications

If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue:

Credential Creation Data

Require Resident Key
true

Authenticator Data
UP=1, UV=1, AT=1, ED=1, SignCount=9256

Authenticator Data in Hex
0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5CC500002428000000000000000000000000000000000046C6DD8B04DEB82934327E5EF667A7F67334FB68812D406E349607C8D6205D564DEFAC0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C28240000A5010203262001215820679B7149B3A2BE727985B47566843BC8F8750B6CAC6D4CAC0C3FE60E67E32BD6225820D3E948157572E87DD4577861A33CA714029406DF1E0230AFEFDCCD8BB792E5DEA16B6372656450726F7465637402

Public Key
EC key: A5010203262001215820679B7149B3A2BE727985B47566843BC8F8750B6CAC6D4CAC0C3FE60E67E32BD6225820D3E948157572E87DD4577861A33CA714029406DF1E0230AFEFDCCD8BB792E5DE

Extension Data
A16B6372656450726F7465637402

Attestation Statement Chain
none

Attestation Statement in Hex
A0

}}

  • Select Attestation: Direct and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{60{

bob@example.com


Credential ID
CDA46AE68AF99885110324577B6C4F9BBC6C8A83C3107052AF8C8BC036A951C6A9770B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C29240000

RP ID
webauthntest.identitystandards.io

AAGUID
9876631B-D4A0-427F-5773-0EC71C9E0279

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: packed
UP=1, UV=1, AT=1, ED=1, SignCount=9257

Last Authentication Data [more details]
No authentications

If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue:

Credential Creation Data

Require Resident Key
true

Authenticator Data
UP=1, UV=1, AT=1, ED=1, SignCount=9257

Authenticator Data in Hex
0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5CC5000024299876631BD4A0427F57730EC71C9E02790046CDA46AE68AF99885110324577B6C4F9BBC6C8A83C3107052AF8C8BC036A951C6A9770B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C29240000A501020326200121582012917F8F41F1E406E1426044814F743EE72794301101D7DF9AFCCC75B7B2379B22582097D44B044BF7830496F9ACE2E1B675BFDA0DD0D038C40D449C7F0AC8970BB613A16B6372656450726F7465637402

Public Key
EC key: A501020326200121582012917F8F41F1E406E1426044814F743EE72794301101D7DF9AFCCC75B7B2379B22582097D44B044BF7830496F9ACE2E1B675BFDA0DD0D038C40D449C7F0AC8970BB613

Extension Data
A16B6372656450726F7465637402

Attestation Statement Chain
[{"version":3,"subject":"/C=US/ST=Maryland/O=Solo Keys/OU=Authenticator Attestation/CN=solokeys.com/E=hello@solokeys.com","issuer":"/C=US/ST=Maryland/O=Solo Keys/OU=Root CA/CN=solokeys.com/E=hello@solokeys.com"}]

Attestation Statement in Hex
A363616C67266373696758473045022100C5AAA1AAA332E89AB83151F479ED1F62BDE31EA88EAA409ECFA8857D3818865A02204B841C70042846E3CD12DB0727950EBF7A69E8BFA2725A42CBD4DB38E1B7663463783563815902E5308202E130820288A003020102020101300A06082A8648CE3D040302308180310B30090603550406130255533111300F06035504080C084D6172796C616E6431123010060355040A0C09536F6C6F204B6579733110300E060355040B0C07526F6F742043413115301306035504030C0C736F6C6F6B6579732E636F6D3121301F06092A864886F70D010901161268656C6C6F40736F6C6F6B6579732E636F6D3020170D3138313131313132353230305A180F32303638313032393132353230305A308192310B30090603550406130255533111300F06035504080C084D6172796C616E6431123010060355040A0C09536F6C6F204B65797331223020060355040B0C1941757468656E74696361746F72204174746573746174696F6E3115301306035504030C0C736F6C6F6B6579732E636F6D3121301F06092A864886F70D010901161268656C6C6F40736F6C6F6B6579732E636F6D3059301306072A8648CE3D020106082A8648CE3D0301070342000422FE0FB52A78BEC645371A28A7574349A46F854DCA4E251C9F75303DBF10D5D2D20BB9692CDDB25C14D8398512F623EE91BAC6ACFF4A1A27EFE0C1543FD4D9C5A381DC3081D9301D0603551D0E041604143BE6D2C06FF2E7B07C9D9E28C020B00D07C815C830819F0603551D23048197308194A18186A48183308180310B30090603550406130255533111300F06035504080C084D6172796C616E6431123010060355040A0C09536F6C6F204B6579733110300E060355040B0C07526F6F742043413115301306035504030C0C736F6C6F6B6579732E636F6D3121301F06092A864886F70D010901161268656C6C6F40736F6C6F6B6579732E636F6D820900C44763928FF4BE8C30090603551D1304023000300B0603551D0F0404030204F0300A06082A8648CE3D040302034700304402207110462CF516189755CA64503B69B2DF1771ABAD8EC0D6A6073D668A3BBBFE6102201E82EFEB5E4E3A008464D2F884C378359363812EBEA612326E2990C8914B7152

}}

  • Select Attestation: Indirect and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{65{

bob@example.com


Credential ID
702DAD92498C593FB53B964550F80A5D498708236CF6B422B0D784143CCF2B9BD1500B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C2E240000

RP ID
webauthntest.identitystandards.io

AAGUID
9876631B-D4A0-427F-5773-0EC71C9E0279

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: packed
UP=1, UV=1, AT=1, ED=1, SignCount=9262

Last Authentication Data [more details]
No authentications

If registration worked, click on "Credential Registration Data [more details]" and copy-paste the content of the dialogue:

Credential Creation Data

Require Resident Key
true

Authenticator Data
UP=1, UV=1, AT=1, ED=1, SignCount=9262

Authenticator Data in Hex
0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5CC50000242E9876631BD4A0427F57730EC71C9E02790046702DAD92498C593FB53B964550F80A5D498708236CF6B422B0D784143CCF2B9BD1500B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C2E240000A50102032620012158206AEEF2C3ABE72E5D14B8F3FA1DD1731EE2FEA19C118F5C86C5895CC84402182B2258206DC7A4D6CD0A092E9E4B26A4DF979B33395184F386A9264E801B12C228B16D08A16B6372656450726F7465637402

Public Key
EC key: A50102032620012158206AEEF2C3ABE72E5D14B8F3FA1DD1731EE2FEA19C118F5C86C5895CC84402182B2258206DC7A4D6CD0A092E9E4B26A4DF979B33395184F386A9264E801B12C228B16D08

Extension Data
A16B6372656450726F7465637402

Attestation Statement Chain
[{"version":3,"subject":"/C=US/ST=Maryland/O=Solo Keys/OU=Authenticator Attestation/CN=solokeys.com/E=hello@solokeys.com","issuer":"/C=US/ST=Maryland/O=Solo Keys/OU=Root CA/CN=solokeys.com/E=hello@solokeys.com"}]

Attestation Statement in Hex
A363616C67266373696758463044022052442693CFB3321332CDC9AE0BC923D8893FF79ED47A35894E8BB3E95C944FE7022032586E115A116453D005EA4E8091877D7EAEE2C941C8319F5D1390DE7D3FBA4763783563815902E5308202E130820288A003020102020101300A06082A8648CE3D040302308180310B30090603550406130255533111300F06035504080C084D6172796C616E6431123010060355040A0C09536F6C6F204B6579733110300E060355040B0C07526F6F742043413115301306035504030C0C736F6C6F6B6579732E636F6D3121301F06092A864886F70D010901161268656C6C6F40736F6C6F6B6579732E636F6D3020170D3138313131313132353230305A180F32303638313032393132353230305A308192310B30090603550406130255533111300F06035504080C084D6172796C616E6431123010060355040A0C09536F6C6F204B65797331223020060355040B0C1941757468656E74696361746F72204174746573746174696F6E3115301306035504030C0C736F6C6F6B6579732E636F6D3121301F06092A864886F70D010901161268656C6C6F40736F6C6F6B6579732E636F6D3059301306072A8648CE3D020106082A8648CE3D0301070342000422FE0FB52A78BEC645371A28A7574349A46F854DCA4E251C9F75303DBF10D5D2D20BB9692CDDB25C14D8398512F623EE91BAC6ACFF4A1A27EFE0C1543FD4D9C5A381DC3081D9301D0603551D0E041604143BE6D2C06FF2E7B07C9D9E28C020B00D07C815C830819F0603551D23048197308194A18186A48183308180310B30090603550406130255533111300F06035504080C084D6172796C616E6431123010060355040A0C09536F6C6F204B6579733110300E060355040B0C07526F6F742043413115301306035504030C0C736F6C6F6B6579732E636F6D3121301F06092A864886F70D010901161268656C6C6F40736F6C6F6B6579732E636F6D820900C44763928FF4BE8C30090603551D1304023000300B0603551D0F0404030204F0300A06082A8648CE3D040302034700304402207110462CF516189755CA64503B69B2DF1771ABAD8EC0D6A6073D668A3BBBFE6102201E82EFEB5E4E3A008464D2F884C378359363812EBEA612326E2990C8914B7152

}}

  • Select Attestation: None and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{70{

bob@example.com


Credential ID
7B75E3F3A4CFF4DB7015DD8C7E13DB19D5B25F8D24AB139AC39269D6298E47B0D9290B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C36240000

RP ID
webauthntest.identitystandards.io

AAGUID
00000000-0000-0000-0000-000000000000

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: none (unverified)
UP=1, UV=1, AT=1, ED=1, SignCount=9270

Last Authentication Data [more details]
No authentications

}}

  • If none of the previous four tries worked:
    • Select Attestation: Undefined and click CREATE.
    • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
  • Otherwise, skip this step.

Copy-paste the result on the right:
Put Unsupported if there was an error{75{


  • }}
  • If Attestation: Direct worked, select it. Otherwise, if Attestation: Indirect worked, select it. Otherwise, select Attestation: Undefined.

Test CredProtect Extension

  • Select CredProtect Extension: UVOptional and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{80{

bob@example.com


Credential ID
265B866F79E5F9AF1C47115FF4AA4F82369D3B5581C4F8BF012BFFCC980A2A7462AE0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C40240000

RP ID
webauthntest.identitystandards.io

AAGUID
9876631B-D4A0-427F-5773-0EC71C9E0279

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: packed
UP=1, UV=1, AT=1, ED=1, SignCount=9280

Last Authentication Data [more details]
No authentications

}}

  • Select CredProtect Extension: UVOptionalWithCredIDList and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{85{

bob@example.com


Credential ID
0924E9DA3FE62DCF63F4EDD069A3BE7E87F8F7D501BDCC194071DF9635FEC235131E0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C47240000

RP ID
webauthntest.identitystandards.io

AAGUID
9876631B-D4A0-427F-5773-0EC71C9E0279

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: packed
UP=1, UV=1, AT=1, ED=1, SignCount=9287

Last Authentication Data [more details]
No authentications

}}

  • Select CredProtect Extension: UVRequired and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{90{

bob@example.com


Credential ID
91FDC716238FF54ED3A5647714D48FBFEFD57066CD8E32230ECA5E0E4BD1A00900350B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C50240000

RP ID
webauthntest.identitystandards.io

AAGUID
9876631B-D4A0-427F-5773-0EC71C9E0279

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: packed
UP=1, UV=1, AT=1, ED=1, SignCount=9296

Last Authentication Data [more details]
No authentications

}}

  • If none of the previous three tries worked:
    • Select CredProtect Extension: Undefined and click CREATE.
    • Follow the requested steps to create a passkey, then copy-paste the result from the web app.
  • Otherwise, skip this step.

Copy-paste the result on the right:
Put Unsupported if there was an error{95{


}}

  • Select CredProtect Extension: Undefined (if not selected already).

Test cryptography

  • Uncheck all the following checkboxes: Use ES256, Use ES384, Use ES512, Use RS256, Use EdDSA.
  • Check Use ES256 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{100{

bob@example.com


Credential ID
FF01B5CBFE0F5F9F9936BD3642C485270E7DA034663D49A11151A914117166FC20960B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C5B240000

RP ID
webauthntest.identitystandards.io

AAGUID
9876631B-D4A0-427F-5773-0EC71C9E0279

Credential Registration Data [more details]
Key Type: EC
Discoverable Credential: true
Attestation Type: packed
UP=1, UV=1, AT=1, ED=1, SignCount=9307

Last Authentication Data [more details]
No authentications

}}

  • Uncheck Use ES256, check Use ES384 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{105{

Unsupported

}}

  • Uncheck Use ES384, check Use ES512 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{110{

Unsupported

}}

  • Uncheck Use ES512, check Use RS256 and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{115{

Unsupported

}}

  • Uncheck Use RS256, check Use EdDSA
  • and click CREATE.
  • Follow the requested steps to create a passkey, then copy-paste the result from the web app.

Copy-paste the result on the right:
Put Unsupported if there was an error{120{

bob@example.com


Credential ID
19DAD00B1DE5CA985ED293B06C1AFC7EFA6ED016EFF51BC4E2D6152201C40176A0AE0B997CCCEB3AEB29C55C94A894B11CF01A24B4C8AE706F328CC2EA8CEBC4AD5C68240000

RP ID
webauthntest.identitystandards.io

AAGUID
9876631B-D4A0-427F-5773-0EC71C9E0279

Credential Registration Data [more details]
Key Type: undefined
Discoverable Credential: true
Attestation Type: packed
UP=1, UV=1, AT=1, ED=1, SignCount=9320

Last Authentication Data [more details]
No authentications

}}

Conclusion

Do you have any additional observations or comments related to the entire procedure:{125{


}}

  • Please do not forget to paste any pending screenshots in the above tables.
  • You may also paste the screenshot with the passkey(s) created during this test. The list of created passkeys is usually shown along with platform or browser passkey options that you were already asked to screenshot.

Thank you!

  • No labels