How can a NFC reader firmware confirm if FIDO/FIDO2 transactions between Client/RP and Authenticator are completed and if succeeded or failed ?

[Deep Patel]

 Hello,

I am embedded software engineer. I am working on developing NFC reader firmware that reads FIDO2 NFC Security key (External Authenticator) for login/register in any of the FIDO2 supported application/browser on Windows 10.Reader communicates with PC over CCID protocol.

I need some techincal assistance in the development of reader firmware. 

With our development, our reader is capable of successfully processing a NFC security key (Example for registering and logging into microsoft account on windows 10 via any browser MS Edge/ Chrome etc).

However, i want to add an alert on the reader (like led /beeper) for user .. which confirms that FIDO/FIDO2 authentication / registration process is on going or completed and if they succeeded or failed, so that user can know when to remove the key from reader.

How can i do that ? Since our reader is just like a transporter for sending encrypted commands between Client and Authenticator, our reader firmware doesnt know if FIDO/FIDO2 transactions have been started or it has been finished resulting in success or failure.

Any help or guidance will be appreciated.

Thanks.

[Ackermann Yuriy]

You need to check that SW12 is 0x9000 and that CTAP Response code is set to 0x00 - Sucess

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e285143c-d929-4c88-b411-fb5e416f04edn%40fidoalliance.org.

--

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

[Deep Patel]

Hello,

Can you please elaborate your response. 

From whom shall i monitor these SW1 SW2 and CTAP response code : 

A.) From incoming 14443A command authenticator over RF or 

B.) From incoming ccid command over usb from host application / browser / windows platform ?

I believe the fido key successful authentication / registration is only between Server and Windows Application / Web Browser.

We are the NFC reader in between fido2 nfc authenticator and host windows application / browser

Server <-----> Windows Application / Web Browser <---(CCID)--- NFC Reader --(14443A)----> nfc fido2 authenticator

Thanks.

[John Bradley]

Those are coming from the authenticator.  

The CTAP2.0 spec covers the NFC transport. 

I don't know how much value that adds to a CCID reader however.  

On windows 10 all the CCID commands come from webAuthn.dll in the system, not the browser directly.   That is why Chrome on Windows supports NFC. 

John B. 

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/433afb19-1588-4365-9d66-ebfadacf1974n%40fidoalliance.org.

[Deep Patel]

Hello John, 

I think these are the steps involved during registration / logging process using Security key : 

1. Browser / Application to Authenticator

2. Response from Authenticator

3. Verification / Response from Relying Party

After step 3, user is notified on browser / application / platform that their security key registration process or authentication login process is completed successfully.

After Step 3, once security key is registered or authentication is successfull, we also want to add audible beep in our NFC reader to let user know process is successfully completed.

So, my questions is, is there some kind of feedback provided from RP after step 3 to Authenticator/Platform in FIDO spec that a NFC reader can monitor to play a beep indicating success ?

I don't know if there's any message that would get passed back to the reader. 

Thanks.

[John Bradley]

There is no protocol message.  The RP controls the page.  So can display what they like for success.   I guess they might also be able to use webHID to send a message to the CCID reader but that seems a bit unlikely. 

You are probably looking for some message that goes from the RP to the key on completion, and that dosen't exist in the protocol. 

John B. 

[Deep Patel]

Ok, thanks for confirming.

--

Deep Patel