Passkeys coverage #35943
Passkeys coverage #35943
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
There was a problem hiding this comment.
Looks like a great start. I'd be curious to hear what @danroth27 thinks about open questions regarding organization.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
🦖 NOTE TO SELF 🦖Ask Andy to update the cross-links at https://learn.microsoft.com/dotnet/core/install/upgrade after this goes live. There will be a landing page for our Migration node articles to cross-link ... [Migrate an ASP.NET Core app](/aspnet/core/migration/)Recommend adding a breaking change landing page to harden the Breaking changes in .NET 9 cross-link. The MAUI link is a problem to harden: https://github.com/dotnet/maui/wiki/Upgrading-.NET-MAUI-from-.NET-7-to-.NET-8 |
|
BTW @MackinnonBuck @danroth27 ... There's a strange 👽 ".1" in the project template links these days ( |
|
@danroth27 @MackinnonBuck ... I just converted over to ref source links in the passkeys migration article, and it will be great if framework filenames and locations will be stable. 
I LIKE IT!—Emil M. Antonowsky (Paul McCrane) - RoboCop ©1987 MGM Studios/Orion Pictures |
|
@danroth27 @MackinnonBuck ... I have a coverage concept that makes sense to a 🦖 for discussion. Given Blazor's place in .NET now, the current layout of coverage seems disorganized. RP and MVC don't have fundamentals, host and deploy, and security articles in their MVC and RP folders like Blazor does. The pattern to consider is (in the main doc set) .....
For passkeys, we don't have coverage for RP/MVC yet, but it goes like this (assuming that one day we have RP/MVC coverage) ...
Other subjects (Account confirmation and password recovery, TOTP/QR codes) could follow the same pattern. Alternatively ... split coverage for passkeys goes like this ..........
The latest commit puts my concept in place for passkeys to see how it composes. I look forward to hearing back either way.👂 |
|
@MackinnonBuck ... Is the "Update Identity schema version" guidance point-in-time instructions only for when an app is migrating to .NET 10, or is that general guidance for all future releases? Same ❓ for the "Create and run a database migration" step ... that seems point-in-time only for migration to .NET 10. |
|
I still need PU feedback on this ...
Please help as soon as you can. We have a lot of ToC churn, and the PRs start stepping on each other when they sit for long periods of time. |
|
|
||
| When an authenticator model is discovered to have security vulnerabilities, you may need to revoke affected credentials. The implementation stores the complete attestation object with each credential, including the Authenticator Attestation GUID (AAGUID), which is a 128-bit identifier indicating the key type. | ||
|
|
||
| **Implementation**: Extract AAGUIDs from stored attestation objects, compare against known-compromised models, and revoke affected credentials. AAGUID reliability depends on whether your app validates attestation statements. |
There was a problem hiding this comment.
Can we provide a reference for validating attestation statements?
There was a problem hiding this comment.
There's already an example here that shows how to hook in custom attestation statement validation logic, but we could go further by:
- Linking to libraries that implement attestation statement validation (such as fido2-net-lib)
- Producing a sample that shows how a library such as
fido2-net-libcan be used to add attestation statement validation to an app
Co-authored-by: Mike Kistler <[email protected]>
|
Sorry, @mikekistler ... No 🎲🎲 on these until GA .....
They'll have to be commented out until GA. This is typical for preview API. I circle back in November to get them all set up ... here and everywhere else. |
| }); | ||
| ``` | ||
|
|
||
| The `UserVerificationRequirement` option determines whether the authenticator must verify the user's identity (through biometric or PIN methods), while `ResidentKeyRequirement` indicates whether the credential should be discoverable, allowing authentication without first providing a username. For more information during the .NET 10 preview release period, see the [`IdentityPasskeyOptions` reference source (`dotnet/aspnetcore` GitHub repository)](https://github.com/dotnet/aspnetcore/blob/main/src/Identity/Core/src/IdentityPasskeyOptions.cs). |
There was a problem hiding this comment.
A callout that "some authenticators say that user verification was completed without actually doing anything, see https://passkeys.dev/docs/reference/known-issues/#user-verification" might be worth it here?
There was a problem hiding this comment.
That's a bit stale (May 31, 2025), but a testing recommendation of some sort seems like the right approach. Mackinnon will advise.
|
|
||
| * **Adding passkeys to existing accounts**: Users with password-based accounts can register passkeys as an additional authentication method. | ||
| * **Passwordless account creation**: Users can create accounts without a password by registering a passkey on account creation. | ||
| * **Passwordless sign-in**: Users can authenticate using only their passkey without entering a password. |
There was a problem hiding this comment.
Is usernameless/WebAuthn conditional UI a supported scenario?
There was a problem hiding this comment.
Yes, although usernameless account creation and "conditional create" are not implemented in the project template at this time. However, the template does implement conditional UI for login (i.e., passkey autofill).
There's a super basic sample in the aspnetcore repo that demonstrates passwordless account creation.
|
Apologies for the delayed reply, @guardrex.
It's a convention in the templating engine that's required for certain things to work. See this comment for more info. Generally, links to files or directories in the repo aren't guaranteed to be stable unless they're permalinks.
Only when the app is upgrading to .NET 10. The latest project templates already have the correct migrations and Identity store schema version configured out of the box.
Yep, only applicable when upgrading to .NET 10. |
|
Thanks @MackinnonBuck ... I'll react to your feedback soon, no later than Monday morning. |
Co-authored-by: Mike Kistler <[email protected]>
|
@MackinnonBuck ... New dev versus adding passkeys
We should be fine on this point. I'm using a pivot in the Blazor article between new dev (project template) and adding passkeys to an existing app. What's actionable on this one?On your answer at #35943 (comment), it's not clear what part of that, if anything, should go into the guidance ... and where/how. Do you have a specific text change request? Passkey providers that don't follow the specs
... not sure what's actionable on it. The linked content could easily go stale ... it might already be stale. Permalinks versus direct links to ref sourceOn permalinks, that would need to be set up/requested by MS personnel for me. There are ...
Sample that uses a lib
If you want to provide another sample, we can open a new issue from the bottom of the article after this is published to get that going. Overall layout of articles@danroth27 ... Let me know if you prefer the split-coverage approach, where the main doc set has the passkeys overview and the Blazor-specific article goes into Blazor's security node. If you prefer that setup before I merge here, I'll move things around now. If I don't hear back in time for this PR, I'll create a new PR to move the bits around. These articles won't merge live immediately, so we have time today to sort this out. |
I don't think this needs to go into the guidance.
We could just call out that different authenticators have different behavior when it comes to fulfilling the User Verification requirement, and if you want to disallow specific authenticators from being used, you can implement attestation statement validation. I don't think it hurts to link to that external table, but I'm also not sure what policies we have (if any) on doing so.
On GitHub, you can get a permalink to the file by doing this: 
That would be great 🙂 |
|
Thanks, @MackinnonBuck! Over eight years here, and that permalink feature was unknown to me. Learn something new everyday around here! 🧑🏫 I'll get this wrapped up and merged. If Dan wants the split coverage layout, I'll place that later on a separate PR. I need to move on to the final push on RC1 updates. BTW ... Now that I think about it, I guess what confused me was "permalink" versus "aka" links ... the "aka" links are the ones that I can't create/request myself. However, I wasn't aware of the permalink feature, so thanks for that tidbit. Permalinks aren't going to work for our links here. We must link to
It's a bit scary 🎃 to cross-link such content. We're trusting that they're correct in the first place, and then we're trusting that they'll keep their table up to date ... even then, we're risking that they'll keep the table/keep it in the same place or redirect when moving it. I defer to @danroth27 to decide in this case if it's worth the risks. |
5 participants
Fixes #35728
Internal previews