credProtect extension being tested in CTAP2.0

179 views
Skip to first unread message

YoHidden

unread,
Jul 15, 2024, 7:34:34 AMJul 15
to FIDO Dev (fido-dev)
Hi,

My device has passed all the Conformance Tests made by the v1.7.20-4 tool, with the exception of the Ext: CredProtect - Mandatory.

After been required to do so, I added the credProtect extension to the GetInfo response and I am processing its provided value in MakeCredential call, but now I am getting that...

UV only authenticators are not yet supported!

If using the Conformance Test tool for CTAP2.1 -MDS3 Tests I got this error for a lot of the tests, but when changed it to CTAP2.0 Authenticator - MDS3 Tests all of them disappeared, except for this test.

Right now, I'm just trying my device to pass the Conformance Tests as a CTAP2.0 compliant device, so only supporting options 'uv' and 'up'. Is this test and the resulting error ok to be get in this situation ?

Thanks.

Ujjwal Roy

unread,
Jul 16, 2024, 3:15:25 AMJul 16
to FIDO Dev (fido-dev), YoHidden
Have you implemented Pin Protocol 2?


UV only authenticators are not yet supported!

This error should be resolved for  CTAP2.1 -MDS3 Tests  once you implement pin protocol 2 and getInfo response reflect the same.

Since Pin protocol 2 is mandatory for FIDO2.1.Checkout point 6 of Mandatory features.

My1

unread,
Jul 16, 2024, 3:20:18 AMJul 16
to Ujjwal Roy, FIDO Dev (fido-dev), YoHidden
Is pin proto 2 even a thing in ctap2.0?
After all the initial poster is trying to get 2.0 running. 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/af1e0f7a-d527-4720-872a-089b26ddcfb6n%40fidoalliance.org.

Ujjwal Roy

unread,
Jul 16, 2024, 3:24:54 AMJul 16
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), YoHidden, Ujjwal Roy
For FIDO2.0 compliant authenticator, just run only  "CTAP2.0 Authenticator - MDS3 Tests". 
  1. Select all test from " CTAP2.0 Authenticator Tests "
  2.  Based on metadata statement, the test suite will execute tests and skip test which are not applicable
  3.  Once all the test is passing, you will see a submit button
  4.  Clicking on submit button, shares the conformance tool result with FIDO alliance

    Not sure if FIDO 2.0 certification still applicable since sunset date is lapsed. This has to be checked with certification team from FIDO alliance.

Ujjwal Roy

unread,
Jul 16, 2024, 3:26:33 AMJul 16
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), YoHidden, Ujjwal Roy
Than he should only run " CTAP2.0 Authenticator - MDS3 Tests " not " CTAP2.1 - MDS3 Tests  "

On Tuesday, July 16, 2024 at 12:50:18 PM UTC+5:30 My1 wrote:

Jorge Monagas

unread,
Jul 16, 2024, 4:52:55 AMJul 16
to FIDO Dev (fido-dev), Ujjwal Roy, My1
Yes, the test being run is CTAP2.0 Authenticator - MDS3 Tests, so that’s the reason for my enquiry, this is, why this checks for only UV if I am running the tests for CTAP 2.0 and not for 2.1. Besides, this checking for only UV was removed from all the other tests (they complained when running CTAP 2.1 but disappeared when changed to CTAP 2.0).


Regards,

Jorge M.

Illia Irachek

unread,
Jul 17, 2024, 7:47:53 AMJul 17
to FIDO Dev (fido-dev), Jorge Monagas, My1, Ujjwal Roy
The UV only authenticators are not yet supported! error in general is thrown by tools when no Pin protocols are implemented by the authenticator. Right now (1.7.20) CredProtect tests for CTAP2.0 Authenticator have hard dependency on Pin Protocol 1, hence the error.

There are plans to address this with the next update of the tools.

Regards,
Illia

Jorge Monagas

unread,
Jul 17, 2024, 7:49:31 AMJul 17
to FIDO Dev (fido-dev), Illia Irachek, My1, Ujjwal Roy
Ok, thanks Illia.


Un saludo,

Jorge M.

rjhal...@gmail.com

unread,
Jul 18, 2024, 8:05:55 AMJul 18
to My1, Ujjwal Roy, FIDO Dev (fido-dev), YoHidden

CTAP 2.0 has no defined PIN support. That was one of the features introduced in 2.1 which I believe remains in “draft” status

DUBOUCHER Thomas

unread,
Jul 18, 2024, 11:51:41 AMJul 18
to rjhal...@gmail.com, My1, Ujjwal Roy, FIDO Dev (fido-dev), YoHidden

THALES GROUP LIMITED DISTRIBUTION to email recipients

 

You can implement Pin Protocol 2 in a CTAP 2.0 authenticator.

 

What we haven’t, is mandated support of Pin Protocol 2 for the CTAP 2.0 sunset, only credProtect is additionally required.

 

Cheers,

 

 

 

 

Thomas Duboucher

Embedded Security Specialist

Digital Identity and Security

Thales

 

 

Reply all
Reply to author
Forward
0 new messages