WebAuthn Conditional UI

Despite its recent introduction and ongoing adoption by browsers, there's a noticeable gap in technical documentation and implementation advice for Conditional UI. This article aims to bridge that gap by explaining what Conditional UI is, how it works, and how to tackle common challenges during its implementation.
Conditional UI Benefits and Drawbacks Benefits Streamlined authentication: The process is more streamlined and efficient, removing the complexities often associated with multiple authentication methods.
Simple frontend integration: One of the standout features of Conditional UI is its ease of integration.
Drawbacks Learning curve for developers: Conditional UI introduces a new paradigm, which means there's a learning curve involved for developers unfamiliar with its intricacies.
No conditional passkey register: There's no support for using Conditional UI in the account/passkey creation process.
There's an ongoing discourse about the potential inclusion of Conditional UI for sign-ups as well.
As standards for Conditional UI are relatively new, we hope that things improve so that, e.g., not two autofill menus are overlaid or the desired one is not shown at all.
In general, the Conditional UI process flow can be partitioned into two phases.
During the page load phase, conditional UI logic happens in the background, while in the user operation phase, the user has to do something actively.
Conditional UI availability checks: The client calls the isConditionalMediationAvailable() function to detect if the current browser/device combination supports Conditional UI.Only if the response is true does the process continue; otherwise, the Conditional UI process is aborted.
Call the conditional UI endpoint: Next, the client calls the server Conditional UI endpoint in order to retrieve the PublicKeyCredentialRequestOptions.
Implement Conditional UI detection that ensures that Conditional UI is only employed when the current device/browser combination supports it.
If Conditional UI support is given, the Conditional UI login process can be started.
If there's no available passkey, or the user neglects the suggested passkeys and enters their email, the Conditional UI flow is stopped.
A critical point to emphasize here is the potential need to halt an ongoing Conditional UI request.
The WebAuthn standard suggests utilizing an AbortController to cancel a WebAuthn process, applicable to both regular and Conditional UI login processes (see WebAuthn's Docs for details).
The Conditional UI login process gets activated as soon as a user lands on the page.
Remember to set up a fresh AbortController each time you trigger Conditional UI. Using an already-aborted AbortController will lead to an instant cancellation of the passkey / WebAuthn function.
In the absence of Conditional UI support, direct users towards the regular passkey login process.
To illustrate how Conditional UI looks like for the end user, we added several screenshots of a Conditional UI autofill menu using https://passkeys.


This Cyber News was published on feeds.dzone.com. Publication date: Wed, 06 Dec 2023 14:13:05 +0000


Cyber News related to WebAuthn Conditional UI

WebAuthn Conditional UI - Despite its recent introduction and ongoing adoption by browsers, there's a noticeable gap in technical documentation and implementation advice for Conditional UI. This article aims to bridge that gap by explaining what Conditional UI is, how it ...
11 months ago Feeds.dzone.com
Discord adds Security Key support for all users to enhance security - Discord has made security key multi-factor authentication available for all accounts on the platform, bringing significant security and anti-phishing benefits to its 500+ million registered users. The popular social platform first highlighted the ...
11 months ago Bleepingcomputer.com
Microsoft will roll out MFA-enforcing policies for admin portal access - Microsoft will soon start rolling out Conditional Access policies requiring multifactor authentication from administrators when signing into Microsoft admin portals such as Microsoft Entra, Microsoft 365, Exchange, and Azure. The company will also ...
11 months ago Bleepingcomputer.com
Selecting an Authentication Protocol for Your Business - Authentication protocols serve as the backbone of online security, enabling users to confirm their identities securely and access protected information and services. The protocols exchange information to verify the validity of the authentication ...
7 months ago Darkreading.com
5 ways to secure identity and access for 2024 - 1 This increase is due in part to the rise of generative AI and large language models, which bring new opportunities and challenges for security professionals while affecting what we must do to secure access effectively. Learn how unified multicloud ...
10 months ago Microsoft.com
New Developer Tools Are Necessary to Boost Passkey Adoption - The password-less technology known as passkeys are esoteric, far from widely adopted, and confusing for consumers. Based on the WebAuthn standard created by the World Wide Web Consortium and the FIDO Alliance - and jointly supported by Apple, Google, ...
10 months ago Darkreading.com
Bitwarden adds passkey support to log into web password vaults - The open-source Bitwarden password manager has announced that all users can now log into their web vaults using a passkey instead of the standard username and password pairs. Passkeys are the more secure alternative to the passwords that most people ...
10 months ago Bleepingcomputer.com
CVE-2017-12289 - A vulnerability in conditional, verbose debug logging for the IPsec feature of Cisco IOS XE Software could allow an authenticated, local attacker to display sensitive IPsec information in the system log file. The vulnerability is due to incorrect ...
5 years ago
5 Best Practices for Securing Azure Resources - Cloud computing has become the backbone for modern businesses due to its scalability, flexibility and cost-efficiency. As organizations choose cloud service providers to power their technological transformations, they must also properly secure their ...
8 months ago Crowdstrike.com
CVE-2021-40818 - scheme/webauthn.c in Glewlwyd SSO server through 2.5.3 has a buffer overflow during FIDO2 signature validation in webauthn registration. ...
3 years ago
CVE-2022-27240 - scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer overflow associated with a webauthn assertion. ...
2 years ago
CVE-2020-8236 - A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it. ...
2 years ago
CVE-2024-47650 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Axton WP-WebAuthn allows Stored XSS.This issue affects WP-WebAuthn: from n/a through 1.3.1. ...
1 month ago
CVE-2008-0117 - Unspecified vulnerability in Microsoft Excel 2000 SP3 and 2002 SP2, and Office 2004 and 2008 for Mac, allows user-assisted remote attackers to execute arbitrary code via crafted conditional formatting values, aka "Excel Conditional Formatting ...
11 months ago
CVE-2024-26667 - In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup The commit 8b45a26f2ba9 ("drm/msm/dpu: reserve cdm blocks for writeback in case of YUV output") introduced a ...
7 months ago Tenable.com
CVE-2011-1989 - Microsoft Excel 2003 SP3 and 2007 SP2; Excel in Office 2007 SP2; Excel 2010 Gold and SP1; Excel in Office 2010 Gold and SP1; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; Office Compatibility Pack for ...
6 years ago
Researchers Disclose Proof of Concept for New GhostRace Attack - IBM and VU Amsterdam University researchers published on March 12th their study about the new GhostRace attack type. Apart from the technical paper, blog post and Proof of Concept exploit, they also released scripts for scanning the Linux kernel for ...
8 months ago Heimdalsecurity.com
CVE-2022-45070 - Missing Authorization vulnerability in FmeAddons Conditional Checkout Fields for WooCommerce.This issue affects Conditional Checkout Fields for WooCommerce: from n/a through 1.2.3. ...
6 months ago Tenable.com
QR Code Scammers are Changing Tactics to Evade Detection - Check Point researchers last year saw a 587% increase between August and September of phishing attacks enticing unsuspecting targets to click on QR codes that then redirect them to malicious pages used for harvesting credentials. The cybersecurity ...
9 months ago Securityboulevard.com
CVE-2021-47411 - In the Linux kernel, the following vulnerability has been resolved: io_uring: allow conditional reschedule for intensive iterators If we have a lot of threads and rings, the tctx list can get quite big. This is especially true if we keep creating new ...
6 months ago Tenable.com
CVE-2024-46828 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
CVE-2024-50412 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jules Colle Conditional Fields for Contact Form 7 allows Stored XSS.This issue affects Conditional Fields for Contact Form 7: from ...
3 weeks ago
CVE-2021-38299 - Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence. ...
2 years ago
CVE-2021-32800 - Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient ...
2 years ago
CVE-2023-5729 - A malicious web site can enter fullscreen mode while simultaneously triggering a WebAuthn prompt. This could have obscured the fullscreen notification and could have been leveraged in a spoofing attack. This vulnerability affects Firefox < 119. ...
10 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)