Search code examples
webauthnfido-u2ffido

How to disallow the FIDO Webauthn key registration from virtual authenticator browser extension


The virtual authenticator extension provided in Chrome (virtual authenticators tab) is used for testing / debugging the FIDO2 Webauthn authentication mechanism without using physical authenticator keys. This is useful in automated testing e.g. via Selenium.

  1. Should it be allowed in the Production environment of the IAM provider?
  2. Is there any way to disable/disallow this registration in the production environment?

I tried to set up Google account 2-Step Verification using a virtual authenticator tab extension. But Google does not allow us to register a FIDO key from a virtual authenticators tab extension.


Solution

  • Is there any way to disable/disallow this registration in the production environment?

    Short answer: you don't have to.

    Long answer: the virtual authenticator implementation is specifically designed to discourage its use in production systems. The credentials are bound to a single frame (for the most part, this means a single tab), and are cleared as soon as the virtual environment is disabled or the tab closed.

    The worst possible scenario would be a user locking themselves out, but they would have to be savvy enough to find the extension (or the new devtools panel on chrome 87) & set up the authenticator, while not realizing they can get locked out. We don't consider this a significant risk.

    I tried to set up Google account 2-Step Verification using a virtual authenticator tab extension. But Google does not allow us to register a FIDO key from a virtual authenticators tab extension.

    At the moment, Google is using the old U2F javascript API to register credentials, which is not supported by the virtual authenticators. This is why registration fails.