- Newest
- Most votes
- Most comments
Hi Dan, According to the document (https://docs.aws.amazon.com/singlesignon/latest/userguide/mfa-types-keys.html), the built-in authenticator for TouchID or Windows Hello will use FIDO2 WebAuthn, but not all operating systems/browser versions support WebAuthn. Could you have a check to confirm your browser and operating system are supported by FIDO2 WebAuthn? Based on the link (https://www.w3.org/TR/webauthn-2/#sctn-sample-registration-with-platform-authenticator), you can try 2 functions on browser developer console to see if WebAuthn works:
- window.PublicKeyCredential => is a function
- PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().then(console.log) => show "true"
According to my current test, I successfully register my Touch ID of IAM Identity Center on my macOS Ventura with Chrome browser, and I don't see the error:
"eventSource": "sso-directory.amazonaws.com",
"eventName": "CompleteWebAuthnDeviceRegistration",
...
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"requestParameters": {
"deviceId": "XXXXXXXXXXXXX", "publicKeyCredentialJSON": "HIDDEN_DUE_TO_SECURITY_REASONS"
...
HI Bard Lan, yes you are saying right!
I don't have a support plan and it's hard for me to afford it.
However, I went deeper into the matter and compared the webauthn payloads between a working device (yes, I found one) with a broken one, and I notice that the 'attestationObject' attribute in json responses have totally different lengths, longer in the second case.
I believe at this point that the device uses an algorithm/format not yet supported by the AWS identity pool.
Also, the key is returned by the OS (TouchID or Windows Hello) so I think it mainly depends on the OS. At this point I think in the last period some update has been released that changes the behavior in the webauthn handshake.
Relevant content
- asked 4 months ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Hi Bard Lan, thanks for replying. As you suggested, the commands return the correct answers.
The problem is present on every device, OS and browser tested:
OS:
Browser :
The issue also occurs on the same devices and configurations that successfully registered MFA one month ago.
I try also check the IAM Role related to SSO but I don't found any change.
Could there be some misconfigured resource on the AWS account that could impact the MFA registration workflow?
Regards.
The MFA registration you used is on the right top of the login page of AWS Identity Center (SSO), right? I didn't meet the issues you faced, maybe can you open a support ticket to have AWS technical support engineer to help you to figure out what's going on?