Does adding U2F/CTAP1 support to FIDO2 authenticator affect certification?

82 views
Skip to first unread message

Gregory Gallagher

unread,
Oct 20, 2022, 4:13:11 PM10/20/22
to FIDO Dev (fido-dev)
My company recently passed FIDO2 L1 certification for our authenticator, which supports only CTAP 2.0 (version "FIDO_2_0"). We then discovered the issue that 2-step verification for Google accounts requires U2F, so we're in the process of adding U2F/CTAP1 support (version "U2F_V2"). Do we need to get a separate U2F certification or can we amend our existing FIDO2 certification?

When we try to run tests in "FIDO Conformance Tools v1.75 || U2F1.1/1.2 - MDS3", some of the tests fail because it expects our metadata statement to show us as a U2F authenticator, and the conformance tests for FIDO2 don't have any U2F/CTAP1 tests. It's a little confusing.

Any guidance is highly appreciated.

Thanks,
Greg

John Bradley

unread,
Oct 21, 2022, 1:52:49 AM10/21/22
to Gregory Gallagher, FIDO Dev (fido-dev)
You need to do a second certification.  

You will have 2 MDS entries one for CTAP2 and one for U2F.  The identifiers are different for the two protocols.  

Sent from my iPhone

On Oct 20, 2022, at 1:13 PM, Gregory Gallagher <g...@jensatch.com> wrote:

My company recently passed FIDO2 L1 certification for our authenticator, which supports only CTAP 2.0 (version "FIDO_2_0"). We then discovered the issue that 2-step verification for Google accounts requires U2F, so we're in the process of adding U2F/CTAP1 support (version "U2F_V2"). Do we need to get a separate U2F certification or can we amend our existing FIDO2 certification?
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d45b55c3-128c-42cb-81b9-e5998a8b8ad6n%40fidoalliance.org.

Gregory Gallagher

unread,
Oct 21, 2022, 7:24:52 AM10/21/22
to FIDO Dev (fido-dev), John Bradley, FIDO Dev (fido-dev), Gregory Gallagher
Thanks very much John.

Steven li

unread,
Nov 16, 2022, 8:08:16 PM11/16/22
to FIDO Dev (fido-dev), g...@jensatch.com, John Bradley, FIDO Dev (fido-dev)
Hi Sir:

I still don't understand this question. Google account two-step verification does require U2F, but FIDO2 authentication CTAP2.0 and CTAP1/U2F can support
FIDO2 Authentication = 2-step verification with Google Accounts

Why does FIDO2 already support CTAP2/1(U2F), but it needs to pass the U2F specification?

Thanks,
Steven

g...@jensatch.com 在 2022年10月21日 星期五晚上7:24:52 [UTC+8] 的信中寫道:

John Bradley

unread,
Nov 16, 2022, 8:33:10 PM11/16/22
to Steven li, FIDO Dev (fido-dev), g...@jensatch.com
Firefox and android don’t support CTAP2 yet.  

Sent from my iPhone

On Nov 16, 2022, at 5:08 PM, Steven li <changa...@gmail.com> wrote:

Hi Sir:

Steven li

unread,
Nov 17, 2022, 2:31:41 AM11/17/22
to FIDO Dev (fido-dev), John Bradley, FIDO Dev (fido-dev), g...@jensatch.com, Steven li
Hi all,

1. Our company's products support CTAP2 and CTAP1/U2F
2. FIDO2 only authenticates CTAP2 either CTAP2.1
3. If the authentication for registration on a specified account server, and the website platform only supports the CTAP1/U2F authentication protocol,
    is it necessary to declare that the device has obtained the U2F authentication logo?

Please let me know how the answer in point 3 is.
Thanks in advanced!

Steven Li

John Bradley 在 2022年11月17日 星期四上午9:33:10 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages