The trick is that Windows Hello seems to be returning PRF assertion values regardless of whether PRF was requested during creation (at least on https://webauthn-passkeys-prf-demo.explore.corbado.com/, which seems to be the most detailed).
But at the same time, Edge and Chrome don’t report that PRF is supported, nor do they provide the PRF assertion value on passkey creation. So the website thinks PRF won’t work and reports an error, but when you go to authenticate, it actually does work! Try using the demo website above to create a Hello passkey, and then try the “Authenticate & Get PRF Value”. For me, it results in this success:
In contrast, Firefox correctly shows that PRF is supported and gets the PRF assertion value on creation.
Since the authenticator is Windows Hello, the assertion value is the same regardless of which browser is used. If it weren’t for the bug preventing any passkey creation in Firefox, I might be able to create the Bitwarden encrypted login passkey on Firefox and then use it in Chrome or Edge.
Actually, I wrote them. And that was new to them yesterday. So, they were quick then it seems.
But, at the moment – and I wrote them that as well – when I register a passkey with PRF on my desktop PC via Firefox 149, it succeeds, but authentication still fails. (didn’t test it with my laptop – where it worked once – again now)
I did a little digging on GitHub and found two commits that seem to address exactly this behavior. It looks like there were specific changes regarding this in Firefox 147 and 148:
@passkeydemo Thanks for providing some more sources / evidence for all this…
Of course I tried this. But also using Chrome 147 doesn’t seem to enable a PRF-login-passkey – at least not with my “desktop” Windows Hello (which still shows that authentication error on the Corbado demo site).
My laptop doesn’t seem to suffer from that “authentication error” – but it didn’t receive Chrome 147 yet…
