Recently, Microsoft Edge began supporting WebAuthn on the Insider Preview Version.
Following this, the author of https://webauthn.org, Twitter user @apowers313, tweeted:
> WebAuthn will work on Edge from Windows 10 Insider Preview Build 17682.
According to Windows Blogs Insider Preview, WebAuthentication API is supported in Windows 10 Insider Preview Build 17682.
>The implementation in Microsoft Edge allows users to use Windows Hello (via PIN or biometrics) and external authenticators like FIDO2 Security Keys or FIDO U2F Security Keys to securely authenticate to websites. We’ll have more to share about Web Authentication in Microsoft Edge soon!
Thus, it appears that Single Factor login using PIN or Biometrics is possible with the new CTAP2 protocol.
The environments used to run the tests in this article are as follows.
Windows 10 Insider Preview 17692
Microsoft Edge 42.17692
Video
As seen in the video, the CTAP2 is implemented in Windows Hello.
In addition to "internal authenticators" such as fingerprints and facial recognition, which have been available in Hello, external authenticators such as security keys have also been added.
Also, since internal authenticators should be able to be called from WebAuthn, perhaps someone may write a code that enables RS256 with publicKey Param.
Explanation
The procedure is as follows.
Go to https://webauthn.org, enter the user name, and press the Register button.
The Web Authentication API of Edge will then call Windows Hello, and as a result, the user will be asked to insert an external Authenticator key.
If this is the first time using the key, one will be asked to set a new PIN. In other words, it seems that User Verification (PIN or Biometrics authentication) is currently required.
After entering the new PIN, one will be asked to touch the key (User Presence). A dialog box will appear briefly when the touch is completed, indicating that the PIN setting is complete.
Next, the user will be asked to touch the key for Registration. (From now on, this key will use the user’s set PIN for registration and authentication.)
When the touch is completed, Registration is complete.
The user will be asked to enter the PIN whenever they log in next time.
If one tries this process with YubiKey 4, which supports only U2F, they will not be asked for a PIN.
The user name is required when logging in for compatibility with the U2F key.
Also, if it is a Resident Key (a key that can store user information), a user selection dialog should appear after the PIN is entered.
Although this Microsoft Edge update is still in beta, our team is wondering how Chrome will follow suit by supporting FIDO2-compatible security keys.
