UP (user Presence) flag mandatory to set in Fido2 smartcard based authenticator ?

228 views
Skip to first unread message

Mohan Lale

unread,
Oct 30, 2020, 3:30:10 AM10/30/20
to FIDO Dev (fido-dev)
Hi All,

I am developing a smartcard base fido2 applet (NFC), is it UP flag need to set on fido2? 
because the below-mentioned websites are not allowing to register/authenticate because the UP flag not set (UV flag set).

websites are allowing to register/authenticate with UV flag set and UP flag not set

Should I need to set a dummy UV flag always because I am using a smartcard, web browser every time asking to tap the smartcard?
Note: I have set UV flag (PIN policy implemented)

Regards,
Mohan

Jonathan Verner

unread,
Oct 30, 2020, 4:54:07 AM10/30/20
to Mohan Lale, FIDO Dev (fido-dev)
As I understand the spec, the UP flag should be the inverse of the VU flag

Best,

Jonathan

Jonathan Verner, PhD.
software engineer

Nexus Group
Evropska 33/A
160 00 Praha 6
Czech Republic

Od: fido...@fidoalliance.org <fido...@fidoalliance.org> za uživatele Mohan Lale <mohan...@gmail.com>
Odesláno: pátek 30. října 2020 8:30
Komu: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Předmět: [FIDO-DEV] UP (user Presence) flag mandatory to set in Fido2 smartcard based authenticator ?
 
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/2767b665-dcea-4822-b127-b7b59f9ae16dn%40fidoalliance.org.

Mohan Lale

unread,
Oct 30, 2020, 5:25:23 AM10/30/20
to FIDO Dev (fido-dev), Mohan Lale
Should I need to set a dummy *UP flag always because I am using a smartcard, web browser every time asking to tap the smartcard?
Note: I have set UV flag (PIN policy implemented)

Ackermann Yuriy

unread,
Oct 30, 2020, 7:05:01 AM10/30/20
to Mohan Lale, FIDO Dev (fido-dev)
UP is an explicit action, so your NFC card must have some user input such as a button to have UP.

You can have UV in the form of ClientPin1 though

Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand


--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/49a00399-700d-4223-b198-d47a57f4c4cdn%40fidoalliance.org.

Antoine FERRON

unread,
Oct 30, 2020, 7:46:15 AM10/30/20
to Ackermann Yuriy, Mohan Lale, FIDO Dev (fido-dev)
On NFC and smartcard authenticators, the platform requires a new insertion or a tap. This is a user action, it asks a user to made an action on the card (tap or re-insert). With all CCID/NFC devices, the signatures require the user to plug again the card or to tap back in NFC. This enforces the user presence verification, and verifies the physical user presence. No signature or communication with the authenticator can happen without a user physical action. So NFC authrs have their UP flag set, this is not "dummy", but this is a real user presence check. No auth can be performed without any user move.

About UV, yes on NFC smartcard, it can be performed through the PIN mechanism.

Also, UV and UP flags are fully independent. On NFC smartcards, UP is true, and UV is set when a correct PIN was given. About the capabilities declaration, NFC card states UP capable and eventually UV capable if the PIN auth extension is implemented.

_____________________________________
Antoine FERRON
Président — BitLogiK

bitlogik.fr — PGP Key ID#22F95B31

Mohan Lale

unread,
Oct 30, 2020, 8:05:51 AM10/30/20
to Antoine FERRON, Ackermann Yuriy, FIDO Dev (fido-dev)
Hi Antoine,

I completely agreed with your statement, cards need to plug back or tap back in NFC, so I will set UP flag always.
UV flag, I have implemented ClientPin Mechanism.

@Yurik
smartcard doesn't have any button-like structure, did you agreed with Antoine's statement?

Regards,
Mohan








--
Mohan R Lale
Mob No- 8421259805

Ackermann Yuriy

unread,
Oct 30, 2020, 8:10:47 AM10/30/20
to Mohan Lale, Antoine FERRON, FIDO Dev (fido-dev)
NFC Tap is not considered a TUP per fido security requirements as attacker may may simply... tap you at the back, or per pcsc control the reader it self thus performing unauthorised operations without users explicit consent.
--

Mohan Lale

unread,
Oct 30, 2020, 8:39:18 AM10/30/20
to FIDO Dev (fido-dev), Ackermann Yuriy, Antoine FERRON [BitLogiK], FIDO Dev (fido-dev), Mohan Lale
@Yuriy,

so I don't need to set the UP flag always as per the attached screenshot of the CTAP2 standard also my smartcard image.

does my authenticator will certify without UP,  my worry about some website need a UP flag need to set.

UPUVFlags.jpg
smarcard.jpg

Ackermann Yuriy

unread,
Oct 30, 2020, 8:42:47 AM10/30/20
to Mohan Lale, Antoine FERRON [BitLogiK], FIDO Dev (fido-dev)
You do need UV

John Bradley

unread,
Oct 30, 2020, 8:43:34 AM10/30/20
to fido...@fidoalliance.org

WebAuthn will NOT provide and assertion to a RP withut UP set.

I am confused by @Yuriy's statement.  It seems to contridict the behavior of every U2F and CTAP2 authenticator produced to my knowledge.

It also seems to counter the behavior of the certification test tool.

@Yuriy can you clarify?

John B.

Antoine FERRON

unread,
Oct 30, 2020, 8:57:28 AM10/30/20
to John Bradley, fido...@fidoalliance.org
I'm also very confuse by his statement, because months ago, it was accepted by the FIDO alliance. I even asked about this point and we agreed tap is an UP mechanism. I think that all major NFC card providers are setting UP to true on NFC. Likewise, this new security requirement will break all NFC cards (with no UP) and prevent them to work properly, because there would not be any UP system available. The "tap" required (or card re-insertion) on platforms was designed to act as a UP on NFC cards. This is not 100% secure, but as secure a simple button. Yuri, can you point at some new FIDO material where the NFC tap is now excluded ?

I agree that the CTAP standard is showing "up"=0 "uv"=1 as a typical "smartcard scenario", but all produced, and certified U2F/FIDO smartcards are are responding with UP=1, else this simply does not work. This is maybe one point of deviation with the strict official standard and the de-facto standard. Still, I can't remember any contradiction in the standard about this point.

If an access requires a high security, it should ask for the the UV. As UP is just a button, or a tap move. It can also be acquired with owning or tapping a physical smartcard, on your pants pocket for example.

_____________________________________
Antoine FERRON
Président — BitLogiK

bitlogik.fr — PGP Key ID#22F95B31

John Bradley

unread,
Oct 30, 2020, 9:25:57 AM10/30/20
to Antoine FERRON, fido...@fidoalliance.org, Johan Verrept

I have opened a CTAP2.1 issue on this. 

https://github.com/fido-alliance/fido-2-specs/issues/1073

You need to be a WG member to acces it. (Sorry)

This is a part of the spec we are currently clarifying around UV and UP caching.

Some things about user presence are being clarified in CTAP2.1.

I think the paranthetical a typical "smartcard scenario" in getAssertion is not normative and should probably be removed.

The SPWG will have to comment on if the security requirements 1.4 allow NFC tap as a TUP.

Regards

John B.

Reply all
Reply to author
Forward
0 new messages