FIDO2 USB
98 views
Skip to first unread message
Neel Shah
May 18, 2021, 11:03:03 AM5/18/21
to FIDO Dev (fido-dev)
Hello,
We are testing our FIDO USB device on various operating systems right now and we are faced with a unique challenge.
On Windows we tested on Chrome and Microsoft Edge and our authenticator works absolutely fine but on macOS/Ubuntu 20.04/iOS/Android we are facing the challenge of a Ghost UserPresence. By that I mean even before I press the button the browser believes that the button is pressed and goes ahead to register my device.
On doing some deeper analysis we see that soon after the Select AID command the browser sends the getInfo command and even if we are responding back with the fact that we do support FIDO 2 it sends a CTAP1 command (starting with a 00)
Here are the logs of the command exchange.
<<00 A4 04 00 09 A0 00 00 06 47 2F 00 01 00 00
>>55 32 46 5F 56 32 90 00
<<80 10 00 00 01 04
>>00 A4 01 82 66 55 32 46 5F 56 32 68 46 49 44 4F 5F 32 5F 30 03 50 41 5B 2E 96 00 F5 4A 81 AE 9A B1 41 BA A4 C1 B3 04 A3 62 72 6B F4 62 75 70 F5 64 70 6C 61 74 F4 05 19 00 F7 90 00
<<80 10 00 00 01 04
>>00 A4 01 82 66 55 32 46 5F 56 32 68 46 49 44 4F 5F 32 5F 30 03 50 41 5B 2E 96 00 F5 4A 81 AE 9A B1 41 BA A4 C1 B3 04 A3 62 72 6B F4 62 75 70 F5 64 70 6C 61 74 F4 05 19 00 F7 90 00
<<00 01 03 00 00 00 40 18 CE E2 3E 35 AD 4C AF E8 D8 67 7F 42 08 77 79 7A EE 28 76 BB 59 82 75 86 F2 11 C3 2B C0 8D BC 74 A6 EA 92 13 C9 9C 2F 74 B2 24 92 B3 20 CF 40 26 2A 94 C1 A9 50 A0 39 7F 29 25 0B 60 84 1E F0
>>05 04 49 62 4B 65 08 AE 7A EE 9F 4F 1F 50 BF 2E 0E C1 2B A2 F4 EE F0 9F 46 E3 23 DB 8D 51 66 2D 18 88 28 97 7A 7E 7C 1C 6B 31 6C 5E 30 9F 2B FC F5 0F 75 6B AD DC 53 8C 87 64 8E 55 91 A2 6A FC 52 A5 40 0C 5C 5F 0F 61 B0 6D B1 40 37 50 70 B9 FA 50 4A 59 3F 01 59 6D BC 96 BC 82 90 03 2D 20 28 5B 65 52 B0 CA E4 8F 08 10 E2 9C 0C FE C6 3D 39 40 65 48 73 88 A3 B4 1F 61 15 E0 A8 DB 1C 5B F2 01 9D 30 82 01 FE 30 82 01 A3 A0 03 02 01 02 02 01 01 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 4A 31 0B 30 09 06 03 55 04 06 13 02 49 4E 31 0B 30 09 06 03 55 04 08 0C 02 55 50 31 0C 30 0A 06 03 55 04 07 0C 03 4B 4E 50 31 10 30 0E 06 03 55 04 0A 0C 07 43 49 52 49 47 48 54 31 0E 30 0C 06 03 55 04 0B 0C 05 53 45 43 49 44 30 1E 17 0D 32 31 30 33 31 30 31 39 34 33 33 32 5A 17 0D 33 31 30 33 30 38 31 39 34 33 33 32 5A 30 6F 31 0B 30 09 06 03 55 04 06 13 02 49 4E 31 0B 30 09 06 03 55 04 08 0C 02 55 50 31 0C 30 0A 06 03 55 04 07 0C 03 4B 4E 50 31 10 30 0E 06 03 55 04 0A 0C 07 43 49 52 49 47 48 54 31 22 30 20 06 03 55 04 0B 0C 19 41 75 74 68 65 6E 74 69 63 61 74 6F 72 20 41 74 74 65 73 74 61 74 69 6F 6E 31 0F 30 0D 06 03 55 04 03 0C 06 59 55 42 49 43 4F 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 F6 D7 C7 C1 96 16 DF 1B 84 D7 56 B7 86 A0 DD 2E 52 FF 7D A3 88 6C CA 5F 54 B2 B6 33 2F 5B A9 16 D3 A9 90 DF B4 F5 2B 10 D4 A5 D3 FC A7 7B A3 06 6A D6 4B 6F D6 45 EA 1A 54 C7 19 00 D8 86 7B 71 A3 55 30 53 30 1F 06 03 55 1D 23 04 18 30 16 80 14 C3 75 F6 1C 48 FB E7 A8 EE 83 1E 1A 69 D5 97 53 E4 7B EB 13 30 09 06 03 55 1D 13 04 02 30 00 30 0B 06 03 55 1D 0F 04 04 03 02 04 F0 30 18 06 03 55 1D 11 04 11 30 0F 82 0D 73 65 72 76 65 72 2E 62 65 72 6C 69 6E 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 49 00 30 46 02 21 00 B4 E3 C7 D4 9F F5 F2 3B F1 76 EB 57 02 5A 60 6C 89 94 FA 9E D7 CC A9 78 3D 42 11 50 AF A4 51 94 02 21 00 C8 C8 9B DF 4D 4B 80 C3 7D 23 3B E8 F0 ED 48 73 A8 E3 41 DD AA 1D C5 A1 51 62 2E 3D 19 05 B5 AC 30 45 02 21 00 D4 FE 28 98 0D A3 82 97 FE 6D A0 AA BE B9 1B 07 2E 78 F3 D0 09 D9 B7 82 E1 36 3F 36 5F 36 D9 FC 02 20 60 72 14 AE 9F E1 EF 73 31 01 ED F7 7A DC C8 44 A8 FD CA 26 B8 AD 16 83 C4 7C 7B 98 AE E4 FE 06 90 00
Can someone suggest what we might be missing?
Thanks
Neel.
Philipp Junghannß
May 18, 2021, 11:15:53 AM5/18/21
to Neel Shah, FIDO Dev (fido-dev)
not sure about mac but android does not do CTAP2 and on chrome-like browsers in linux (as well as windows that is older than 1903) they send a CTAP1 (U2F) register request to get around the part that in CTAP2 you need your PIN for registering if the device has set one.
however in CTAP1/U2F there.
the fact it does a register without Presence tho seems very weird.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7c9d794a-2684-4ebc-b0c7-95fbb9931d03n%40fidoalliance.org.
Neel Shah
May 23, 2021, 7:35:08 AM5/23/21
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev)
Thank you for your feedback.
Our challenge still isn't resolved though.
Neel.
long dao
May 23, 2021, 10:07:31 PM5/23/21
to Neel Shah, FIDO Dev (fido-dev), My1
Hi.
In MacOS, I have same issue. I think that macOS still not support FIDO2.
Vào Chủ Nhật, 23 tháng 5, 2021, Neel Shah <neeld...@gmail.com> đã viết:
--
As your logs,its NFC protocol command.
When you tap your NFC authenticator, it mean that "userPresent=true"
In MacOS, I have same issue. I think that macOS still not support FIDO2.
Vào Chủ Nhật, 23 tháng 5, 2021, Neel Shah <neeld...@gmail.com> đã viết:
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0b7be6f0-a603-44ef-8833-4581b217f531n%40fidoalliance.org.
--
Reply all
Reply to author
Forward
0 new messages