what windows policy settings are minimally required to get true/false response from isUserVerifyingPlatformAuthenticatorAvailable()

kmindi

8/3/24, 9:36 AM

In a corporate setting there are Windows Group Policies restricting the use of FIDO Platform authenticators (e.g. Windows Hello (for Business) on Microsoft Windows devices)

Using the PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() method in a browser results in false (https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/isUserVerifyingPlatformAuthenticatorAvailable_static).

Is there any clear approach on which Windows Group Policy settings need to be enabled/set exactly to get a true response?

Second, which policies would be required to make the FIDO/WebAuthN platform authenticator work, if that would be different/further policies.

If possible, we don't need users to rollout for Windows Hello for Business or have that active, but they should be able to pair their device as a FIDO Platform authenticator for other online services/platforms, where that is a possible authentication method.

Yes I can try it out but maybe there is a good explanation or somebody else already faced this issue (possibly in a corporate context with restricted/managed devices).

0 + 7

windows

group-policy

browser

fido

webauthn

Greg Askew

8/3/24, 11:14 AM

`which policies would be required to make the FIDO/WebAuthN platform authenticator work?` Work? You need to be specific. Do you need it for logging on to the endpoint or to use with a web application?

kmindi

8/3/24, 11:45 AM

First to get a `true` response from `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` (doesn't matter which of the mechanisms like biometrics/PIN/... are used, but to make any of them available to the browser as platform authenticator.

Greg Askew

8/3/24, 11:55 AM

Can you provide the Windows versions you tested this on with a fresh install and it worked as expected? And not joined to a domain. (Group Policy only applies to a domain member).

kmindi

8/3/24, 11:57 AM

A fresh install might work fine, I only have devices were it does not work. Those are corporate managed devies with group policies, I'd need to check which policies are set/not set. But that is the questions, which policies are interesting here ;)

Greg Askew

8/3/24, 12:07 PM

A test on a fresh install not domain joined should be the first step. Then the other variations. Fresh install, and domain joined. Existing endpoint switched to workgroup.

kmindi

8/3/24, 12:10 PM

Yes that would be the approach to figure it out by trial and error until I have the policies identified. But I was hoping for someone already having that knowledge or better documentation. Anyway, if I figure it out I'll post it as answer.

Greg Askew

8/3/24, 12:17 PM

I've seen several questions about this on Stack Overflow, may want to try there. Probably more usage there than a corporate environment, given the prevalence of other authenticators.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: what windows policy settings are minimally required to get true/false response from isUserVerifyingPlatformAuthenticatorAvailable()

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.