CTAP v2.1 and U2F behaviour

[Fujimi Bentley]

Hello FIDO community! 

Apologies if I double posted, I can't find a post I made about an hour ago..? Might of clicked delete instead of post or something silly

Problem: USB HID FIDO Conformance tool expects U2F and/or CTAP v2.1 behariour

My question since I do not want to get too hacky with how I'm handling FIDO: What is the propper way to handle switching from U2F to CTAP 2.1? I don't see it in CTAP 2.1 documentation. Other then simply restarting FIDO by unplug, plug back in. Can someone please refer to me any documentation for this case.

Details of the problem:

Communication process that works with tool:

1. Disconnect/reconnect token (assume U2F mode)
2. Broadcast init for CID
   
3. Reset command (sometimes,  assume U2F mode)
   
4. GetInfo (if present, assume CTAP 2.1 mode)
5. AuthenticatorMakeCredential (Respond with waiting for user action)

OR

1. Disconnect/reconnect token (assume U2F mode)
   
2. Broadcast Init for CID
3. Reset command (sometimes,  assume U2F mode)
4. AuthenticatorMakeCredential (Respond with success)

The problem I have with my token is handling step 1. disconnect token. There are 2 conflicting steps with this:

1. HID-1 Test CTAP2 HID support: P-9
2. Authr-MakeCred-Req-1: P-1

I do not want to disconnect then reconnect my token for the test, it has a separate user authentication step OUTSIDE of FIDO, to even use the token at all as the FIDO interface does not exist pre user login, the user must authenticate themself first. This step can be done but it is very annoying/does not seem necessary.

For 2. Authr-MakeCred-Req-1 step in the conformance tool, the previous step checks the output for GetInfo against the metadata provided, however there is NO Reset command between here. This means my implementation expects the token to be in CTAP 2.1 mode and replies with Respond with waiting for user action (for Pin Not Set, 6.1.2.1). 

I tried implementing a CID test, where the last 32 CID's are tracked, if getinfo was performed using a CID, it will then have that specific CID in CTAP 2.1 mode. This then conflicts with 1. HID-1 Test CTAP2 HID support P-9, as there is no getinfo step on the CID used and it's expecting user action.

P-9 performs a broadcast then make credential op. There is getinfo beforehand but is on a different CID.

Alternatively can the conformance tool have a reset operation at Authr-MakeCred-Req-1? This way I can use the Reset command to revert back to U2F (what I was originally doing and thought was correct).

If there is no solution and there's a reason why it is done this way please enlighten me, I will just have to do the full reset but it is a hassle and seems unecessary?

Regards!

Fujimi

[Fujimi Bentley]

Thanks to Yuriy!

This is clear now, to summarize U2F vs CTAPv2 behaviour:

1. U2F register is via Message (0x83)

2. If makeCredential operation is received via CBOR (0x90), it is CTAPv2

3. The only time they cross over is in memory storage and handling, so authenticator has to know how credential was made

When documentation says "Handle creation of credentials like U2F" in CTAPv2, it does not mean U2F behaviour is expected in the CTAP v2 method. It just means support both individual methods. I overcomplicated the process above, they do not cross over.

Regards!

Fujimi