FIDO2 standard claryfing

[Ondrej Krc-Jediny]

Researching the new FIDO2 standard, I came across a few points that I do not understand and would appreciate assistance.

 1. Does FIDO2 obsolete FIDO UAF and FIDO U2F?
 2. If it does not, what use cases does the UAF protocol support that FIDO2 does not, since FIDO2 also supports paswordless scenario?
 3. Is it possible to implement software FIDO2 Authenticator, or does it have to be hardware based? Can it reside on the same device as the client (e.g. app in a browser that I'm authenticating against)? In this case, how will the Authenticator and the client communicate, when CTAPv2 protocol only specifies USB, NFC and Bluetooth?
 4. FIDO website says that "Android and Windows 10 also will have built-in support for FIDO Authentication". Does that mean that as I now can call credentials.navigator.create() and credentials.navigator.get() in WebAuthn-supporting browsers, I will be able to call something similar in Windows/Android API? On Android, is it already possible using this API?

 5. If I want to achieve multi-factor authentication using the new Yubico Security Key and Windows Hello, how will that work? Will I touch the key sensor as one factor, and e.g. enter PIN and/or scan a fingerprint as additional factor(s)? In that case, will there be two FIDO Authenticators, both the key and Windows Hello?

Thank you very much.

[Roman]

On Thursday, May 24, 2018 at 12:44:47 PM UTC+2, Ondrej Krc-Jediny wrote:

...

 3. Is it possible to implement software FIDO2 Authenticator, or does it have to be hardware based? Can it reside on the same device as the client (e.g. app in a browser that I'm authenticating against)? In this case, how will the Authenticator and the client communicate, when CTAPv2 protocol only specifies USB, NFC and Bluetooth?

...

 Hey,

Software emulation is possible, and has been done for u2f in the past, see me question from last week: https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-dev/oLPswJdXchE

Putting the security aspects aside; you can simulate a hardware token with the USB HID protocol. If you're interested in the web API you can always write your own version of navigator.creditials.create() and navigator.credentials.get() and overwrite the existing calls to use yours (for a neat example of this for u2f see the u2f extension in the link above).

hope this helps,

Roman

[Ondrej Krc-Jediny]

Thank you very much. I have two follow-up questions regarding the software authenticator topic (1 and 2) and two more unrelated questions. I would appreciate help clarifying these:

1. In the WebPayment & WebAuthn Demo, Adam Powers wrote a comment: “CTAP is for external authenticators attached by USB, NFC, or BLE. This was an internal authenticator.”. In that case, how did the browser communicate with the internal authenticator? Or, more broadly, what are the possible options for such communication?

2. WebAuthn scenarios describe mobile phone as an authenticator (when authenticating against e.g. a laptop). Does it need to communicate via CTAP as well, being an external authenticator?

3. WebAuthn specification describes user-verifying platform authenticators. Why there is no notion about user-verifying roaming authenticators? Is such thing not possible

4. Adam Langley’s blog post mentions that “There are no CTAP2 devices on the market yet but their major distinguishing feature will be that they can be used as a 1st (and only) factor. I.e. they have enough internal storage that they can contain a username and so both provide an identity and authenticate it.”. Could anybody please explain how this works and what other scenario will it add to the existing scenarios already supported?

--
You received this message because you are subscribed to a topic in the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this topic, visit https://groups.google.com/a/fidoalliance.org/d/topic/fido-dev/R0U51PU0Fzs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/2e2e85e5-cc0f-4066-ac43-2940f7ac6c87%40fidoalliance.org.

[Adam Powers]

1. Some browsers will use native APIs to communicate to authenticators, such as the Android Fingerprint API or the Windows Hello API. This is up to the OS vendors to decide what APIs they want to offer; and up to the browser vendors to decide which OS-specific APIs they want to support.

2. If a browser is using an OS-specific API, it doesn't necessarily need to use CTAP. I'm not sure what the public statements are about which browsers are supporting which APIs and / or CTAP, so I will leave it up to them to clarify.

3. Roaming authenticators still exist, but the name has changed. I think they're called "cross-platform" authenticators now (in the sense that you can use the same authenticator on different platforms, where platform is synonymous with OS). In contrast, "platform" authenticators are the authenticators that use the native APIs mentioned above and are built in to a specific OS.

4. One example would be the Feitian FIDO2 authenticators that have fingerprint recognition built in to them. There may be similar devices from other vendors. https://www.ftsafe.com/products/FIDO2 There are also authenticators that support the CTAP2 PIN protocol. If an authenticator supports biometrics or PIN, the User Verification (UV) flag will be set in the authenticator data; if not, the User Presence (UP) flag will be set.

I hope that helps.

Adam

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.

To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAN07uWVPWM8NDqvW8tBLyYDz0O_TsO-Ln2ums%3D8g0fdkxJjnzA%40mail.gmail.com.

[Ondrej Krc-Jediny]

Thank you.

2. I was talking about a phone being an external authenticator (when doing authentication on desktop/laptop) . In that case I don't fully understand your answer how OS-specific APIs can be used when talking to an external authenticator.

3. I understand the difference between platform and roaming (cross-platform) authenticators, but reading the chapter 12 - Sample scenarios of WebAuthn, I came across "user-verifying platform authenticator" (there is also a method PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()). I was wondering why there is no roaming (cross-platform) equivalent of this.

Thanks a lot,

Ondrej

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.

To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAN07uWVPWM8NDqvW8tBLyYDz0O_TsO-Ln2ums%3D8g0fdkxJjnzA%40mail.gmail.com.

[Wataru Haniyama]

Thank you Adam and Ondrej

It's so useful discussion for me.

My understand is it's necessary to implement CTAP2 on application for phone to be cross-platform authenticator.

If do so, phone might perform as cross-platform authenticator for PCs . And it also work as platform authenticator for phone if platform supported. 

But I don't know these authenticators perform equivalent credential.

2018年6月5日火曜日 20時33分29秒 UTC+9 Ondrej Krc-Jediny:

To unsubscribe from this group and all its topics, send an email to fido-dev+u...@fidoalliance.org.

To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/2e2e85e5-cc0f-4066-ac43-2940f7ac6c87%40fidoalliance.org.

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.

[Tomas Špokas]

1. Does FIDO2 obsolete FIDO UAF and FIDO U2F?

This is one of frequent questions. Fido website and most presentations does not clearly define relations between UAF, U2F and WebAuthn. Reading various sources, including official website, one can make an assumption that FIDO2 (CTAP2, WebAuthn) obsoletes UAF/U2F. But from what I currently know thats not the case here and WebAuthn only extends the set of standards for authentication. So UAF (what about U2F?) is here to stay.

Can somebody confirm if I'm right?