Security key authentication popup

[stevealex1]

Hi,

I am working on a WPF application that uses the CefSharp browser control to authenticate users with security key.
In the latest Windows OS, security key authentication is done through the native windows security key dialog, not the browser embedded popup.

Fig1 - Browser embedded security popup

Fig2 - Windows native security key dialog

I understand that the browser embedded popup has security vulnerabilities but my requirement is to use the browser embedded popup for device detection, due to the reason that the native windows security dialog does not appear in a custom desktop (programmatically created desktop in Windows).

In WebView2, a command-line option was available to disable windows native security dialog (--disable-features="WebAuthenticationUseNativeWinApi") and show the browser embedded security popup.
Is there an equivalent command-line option available for CefSharp?

Thanks.

[amaitland]

Firstly CefSharp is just one of many chromium embedded framework(CEF) wrappers. CEF actually provides the underlying chromium implementation.

disable windows native security dialog (--disable-features="WebAuthenticationUseNativeWinApi")

The disable-features command line argument is generic to chromium, did you test and it's not working? If yes what does your code look like?

[stevealex1]

I am checking chrome://version to check the list of command-line options activated.
I have tried the following assuming such a command-line option exists for chromium:

• settings.CefCommandLineArgs.Add("--disable-features", "WebAuthenticationUseNativeWinApi");
• settings.CefCommandLineArgs.Add("disable-features", "WebAuthenticationUseNativeWinApi");
• settings.CefCommandLineArgs["disable-features"] += "WebAuthenticationUseNativeWinApi";

With the last one however application does not launch even though build was successful.

I have 2 questions for this.

1. Is this particular command-line option (--disable-features=WebAuthenticationUseNativeWinApi) available for chromium? If yes, am I using CefCommandLineArgs correctly?
2. If not using the above method, is there another way to use the browser embedded popup instead of Windows native security dialog?

Thanks.

[amaitland]

You can use https://cs.chromium.org to search the chromium source.

Quick check suggests that it is a base chromium feature, not a WebView2 specific one.
https://source.chromium.org/chromium/chromium/src/+/main:device/fido/features.cc;l=18?q=WebAuthenticationUseNativeWinApi&sq=&ss=chromium

With the last one however application does not launch even though build was successful.

Check the log file for errors.

If yes, am I using CefCommandLineArgs correctly?

CEF often has features disabled by default, usually loading chrome://version first them copy those to append your custom one. Separated by comma, no spaces.

Your second example looks fine. There are examples in this repository that can be used a general reference, quick search 3b6ff2f#diff-fcd8ad9db5710fa32dd265d3614937df862ca032103166c850de06f6e355f036R111

If not using the above method, is there another way to use the browser embedded popup instead of Windows native security dialog?

I don't know if CEF supports the old auth popup, possible it doesn't. I've got no means of testing this.

You can try searching on https://magpcss.org/ceforum/index.php