Mac book touch id attestation metadata

[Cyril Labbe]

Hi,

I have to ask for authenticator's attestation and check it against my repository of authenticator metadata, for security concerns.

It now works fine with Android Safety net and Windows Hello, as their are in the Fido MDS, so their aaguids & certificates allow me to check that the response do come from one of these

I'm concerned with mac book pro's touch id, wich does already work on chrome as a fido authenticator if I don't check the attestation. It's aaguid is not present in fido's mds (adce0002-35bc-c60a-648b-0b25f1f05503) and I don't have a certificat to check if what pretends to be this aaguid is reliable

Is it possible to perform webauth on Mac book's touch id with attestation verification?

Best Regards

[Shane Weeden]

The chrome on Mac support for platform authenticator uses self surrogate attestation and is not verifiable back to a trust root. Best you can do is match on aaguid and say “that’s what the authenticator claims to be”

Regards,

Shane. 

Sent from my iPhone

On 7 Sep 2020, at 3:47 pm, Cyril Labbe <cyril...@gmail.com> wrote:

Hi,

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/155125e0-c20f-4b27-b3a8-5ebfd18343dfn%40fidoalliance.org.

[Cyril Labbe]

Thank you very much, I get it.

The upcoming update of iOS and MacOS (https://developer.apple.com/videos/play/wwdc2020/10670/) should bring evolution to that, using another kind (not sure wich) of attestation, verifiable this time.

I Hope it will concern also the touchid for macos on macbooks.

Regards.

[Shane Weeden]

My understanding is that at least initially the Big Sur MacOS will allow platform authenticator use in Safari but will not change how Chrome-on-Mac works. 

Sent from my iPhone

On 7 Sep 2020, at 7:03 pm, Cyril Labbe <cyril...@gmail.com> wrote:

Thank you very much, I get it.

[Cyril Labbe]

I see in the Fido MDS2 that Windows Hello is present in 3 versions:

• Windows Hello Software Authenticator
• Windows Hello Hardware Authenticator
• Windows Hello VBS Hardware Authenticator

No issues with the last 2, but the first attestation statement does not contain any root certificate and the attestation provided by the authenticator is self signed.

What is the meaning of a self signed authenticator being certified by Fido? That there's a reliable authenticator out there, with specific warranties,  but we will never know if it's really this one and if all the response and the attestation is forged?

Maybe I'm missing the point?