Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

WebAuthn Interfaces Settings

162 views
Skip to first unread message

Hassan Seifi

unread,
Nov 20, 2024, 12:59:16 PM11/20/24
to FIDO Dev (fido-dev)
Does anyone know how is it possible for example to ask Windows WebAuthn to not look after NFC authenticator? 

There should be somewhere in registry etc to configure this to only allow USB interface for example.

Thank you
Hassan

Adam Langley

unread,
Nov 20, 2024, 1:22:45 PM11/20/24
to FIDO Dev (fido-dev), Hassan Seifi
On Wednesday, November 20, 2024 at 9:59:16 AM UTC-8 Hassan Seifi wrote:
Does anyone know how is it possible for example to ask Windows WebAuthn to not look after NFC authenticator? 

There should be somewhere in registry etc to configure this to only allow USB interface for example.

During assertion, transport hints can be set for each element of the allowCredentials list. If all credentials have a transport list, and none include `nfc`, then Windows will probably skip NFC. However, during creation, and during assertion with an empty allow list, it's not possible (at the WebAuthn request level) to disable NFC.


Cheers

AGL

Hassan Seifi

unread,
Nov 20, 2024, 1:50:11 PM11/20/24
to Adam Langley, FIDO Dev (fido-dev)
Asking this for situation when I am not controlling the relying party code but managing domain joined PCs. So looking to see if Windows has such a configuration to define allowed interfaces.

Thank you
Hassan

My1

unread,
Nov 20, 2024, 2:13:03 PM11/20/24
to Hassan Seifi, Adam Langley, FIDO Dev (fido-dev)
is there a reason you dont want them? you could use stuff to block the nfc readers completely if you dont use them in the company or disable smartcard related services if that's an option for your company, as NFC FIDO devices leverage the smartcard related protocols.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAE8gTaEam2vbRJ5MMbYDoULXTDrpBdd2uxEi84BJLXFb4Rbzdg%40mail.gmail.com.

Hassan Seifi

unread,
Nov 20, 2024, 2:18:46 PM11/20/24
to My1, Adam Langley, FIDO Dev (fido-dev)
Technically need the smart card related services to stay on but preventing FIDO requests on the CCID interface.

My1

unread,
Nov 20, 2024, 2:38:53 PM11/20/24
to Hassan Seifi, Adam Langley, FIDO Dev (fido-dev)
But isn't ccid for fido iirc only used for chip and nfc cards (any maybe bt)? Usb uses HID as far as I am aware. 

If you use fido chip cards there's no way you can go over the fido based parts of the system to knock out nfc, as chip and nfc cards are mostly viewed the same for the purposes of fido as far as i know

DUBOUCHER Thomas

unread,
Nov 20, 2024, 5:15:51 PM11/20/24
to Hassan Seifi, My1, Adam Langley, FIDO Dev (fido-dev)

THALES GROUP LIMITED DISTRIBUTION to email recipients

 

Let me guess, for clarification purpose,

 

You have PKI smartcards plugged in the contact reader of the machines you are managing, with a PKCS#11/CSP middleware, and you’re wondering why or how to handle Windows Hello triggering cold reset of the smartcard reader when a FIDO request comes in?

 

Unfortunately, this is how WinSCard/PCSC is expected to behave. If it is so, you should seek if your middleware can be configured to use exclusive mode, which would prevent Windows Hello from accessing any card supported by the middleware.

 

Best regards,

 

 

 

 

Thomas Duboucher (he/him)

Embedded Security Specialist

Digital Identity and Security

Thales

 

Reply all
Reply to author
Forward
0 new messages