"Live" FIDO Authentication Test

248 views
Skip to first unread message

Christopher Tomczak

unread,
Mar 2, 2023, 6:32:46 PM3/2/23
to FIDO Dev (fido-dev)
Hello All,

Does anyone know of any web sites that use the published FIDO credentials for login?
In other words, does anyone know of any web sites where they actually use the published credentials and verify the attestation certificate and AAGUID?

I was able to successfully use a token as a second factor authentication method via my Google account using a token with a set of new credentials which have NOT been published by FIDO.

Thus, Google does not perform any attestation/verification of the device.  It just trusts it implicitly.

Bottom Line:  I am looking for a true "live" test of the FIDO credentials; including attestation certification and aaguid validation.  

Any suggestions???

Thanks,
Chris

Sandeep Dhankar

unread,
Mar 2, 2023, 6:49:09 PM3/2/23
to Christopher Tomczak, FIDO Dev (fido-dev)
Probably a biased suggestion, Okta provides that functionality with the explicit allow list feature for webAuthn Authenticators. You should be able to set up a development tenant to verify this.

Thanks,
Sandeep

On Thu, Mar 2, 2023 at 3:32 PM 'Christopher Tomczak' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:

This message originated outside your organization.



--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/87c4bda2-0d09-4c6c-928d-dcd3ddb77ec0n%40fidoalliance.org.

Christopher Tomczak

unread,
Mar 2, 2023, 6:52:33 PM3/2/23
to Sandeep Dhankar, FIDO Dev (fido-dev)
Good suggestion.  Thanks.  I'll give that shot.

Take Care,
Chris
From: Sandeep Dhankar <sandeep...@okta.com>
Sent: Thursday, March 2, 2023 5:48 PM
To: Christopher Tomczak <ctom...@arculus.co>
Cc: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: Re: [FIDO-DEV] "Live" FIDO Authentication Test
 

My1

unread,
Mar 2, 2023, 9:01:43 PM3/2/23
to Christopher Tomczak, FIDO Dev (fido-dev)
Honestly especially Services for the general public imo shouldn't force check attestations, as even an unattested or yet unlisted fido device is a major increase in security compared to a password, passkeys don't even get attestation in the first place, and there have been cases where fido devices weren't on the list for a good while.

My little sandbox at


Doesn't immediately check the attestations or throw logins out but based on that, but when clicking on the linked list it verifies all registered authenticators against the latest dump of the list which has been today.


If it checks all out it'll show the icon stored in the Metadata statement in the fido2 or u2f "mds checked" column, which usually shows the company logo.

It also shows the name claimed in the attestation cert, which is useful to see which might not be in the list yet

The dumper/indexer verifies that the metadata jwt is properly signed down to the globalsign root

The only thing it does not check is revocation because 

1) php doesn't seem to have a nice native way of doing that
2) i don't intend to bring in libs with thousands of files or megabyes worth of code 
3) ultimately, this is a sandbox not fort knox

Note that this is just me nerding around, rather than selling anything (i am not even in the business of fido stuff, just a curious nerd), so no guarantees but thought i'd share.

All in all it allows for lots of experimentation, and even android passkeys work, obviously only when activating resident keys otherwise it's a local-only credential. 

Shane Weeden

unread,
Mar 2, 2023, 9:05:17 PM3/2/23
to Sandeep Dhankar, Christopher Tomczak, FIDO Dev (fido-dev)
Similarly IBM has this capability with IBM Verify. I also run a test site for developer-style testing where this is enforced. What are you really trying to achieve?


Arshad Noor

unread,
Mar 3, 2023, 4:03:14 AM3/3/23
to fido...@fidoalliance.org

Not sure what you mean by "use published FIDO credentials for login", Chris. When a user registers a newly generated FIDO public-key with an RP site, the sole purpose of that credential is to login to that RP site. Depending on the policy of the RP site, they may or may not accept the registration.

When you say "attestation validation" are you referring to simply verifying the "correctness" of the attestation certificate or full PKIX Validation? If the latter, then you are out of luck; FIDO protocols do not mandate full PKIX Validation; however, they do not prevent you from doing so if the attestation certificate carries all the elements that support the process. However, in the 8+ years we have been part of the FIDO Alliance, we have not seen anyone implement it completely; so I doubt you can depend on it (unless you have a contractual agreement with a supplier that supports it).

Our StrongKey FIDO Server (SKFS) supports configurable policies without the need to have web developers tuning "policy knobs and dials" - thus placing control of security policy in the hands of the Security organization within enterprises. You are welcome to peruse the documentation related to configuring policies and test them out with a variety of FIDO Authenticators at https://demo.strongkey.com/fidopolicy - the policies shown there are examples of what's possible; companies are at liberty to define their own policies based on the "knobs and dials" provided by FIDO protocols.

Arshad Noor
StrongKey

Reply all
Reply to author
Forward
0 new messages