Webauthn.io sent Get assertion command two times

73 views
Skip to first unread message

Ahmad Syarif

unread,
May 19, 2021, 5:10:52 PM5/19/21
to FIDO Dev (fido-dev)

Hi, I developed a BLE authenticator application for Android and iOS. I have tested it with webauthn.io, can do register and login in webauthn.io. However, I got a problem during login. Whenever I do login using Webauthn.io, Get assertion command always comes two times. So need to do fingerprint authentication two times as well, below is the detail:

1. Whenever we do login using Webauthn.io, Get assertion command always comes two times. Following is the sample of first get assertion command received by authenticator: 83007002A4016B776562617574686E2E696F025820C50B730F8BE2FF0F0B7BEDE87441BC2F5A96C4D004A47162A55F7BD74D3109B00381A262696458207B5CE0F1EB3D20988B4D22E88A365BB49AC640C0114DA776EA2202330634248164747970656A7075626C69632D6B657905A1627570F4.


After receiving above command, authenticator continue with fingerprint authentication and send following response: 8300ED00A501A262696458207B5CE0F1EB3D20988B4D22E88A365BB49AC640C0114DA776EA2202330634248164747970656A7075626C69632D6B657902582574A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF00500000001035846304402205868E68985086E4FFD51A66BC445B7B25B21BA447DAB3BEBF04DB9097885DE38022014DD62B10F811E9AC3DD6DEFC9531CE4076C49A697A33E6DDFC528B4E209C92C04A46269644AF7A00C00000000000000646E616D656C68616C6F7468697369736D656B646973706C61794E616D656C68616C6F7468697369736D656469636F6E600501.


2. Then, Webauthn.io send the second get assertion command, following is the command: 83007402A4016B776562617574686E2E696F025820C50B730F8BE2FF0F0B7BEDE87441BC2F5A96C4D004A47162A55F7BD74D3109B00381A262696458207B5CE0F1EB3D20988B4D22E88A365BB49AC640C0114DA776EA2202330634248164747970656A7075626C69632D6B657905A2627570F5627576F5.

After receiving above command, authenticator continue with fingerprint authentication and send following response: 8300EE00A501A262696458207B5CE0F1EB3D20988B4D22E88A365BB49AC640C0114DA776EA2202330634248164747970656A7075626C69632D6B657902582574A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF005000000020358473045022033E026A6C4F1A1A6C57E3EFA9E7B62A4089135BA7E553EDD1CB44EF0D70E3F9A022100EC63F375F560B526A2762E09B7579AE37A2DF0E6500B95FEADACEC3A7199B28F04A46269644AF7A00C00000000000000646E616D656C68616C6F7468697369736D656B646973706C61794E616D656C68616C6F7468697369736D656469636F6E600501.

Only after the second response the login process in Webauthn.io succeed. We tried to break out first and second Get assertion command, the only different between them is the option value. The first command, the option value is “up = false” and the second command the value is “up = true, uv = true”. Can you suggest us how to solve this issue, so the Authenticator only receive 1 Get assertion command? FYI, our FIDO Authenticator option is, up = false, uv = true and rk = true 


Really appreciate your help on this issue.

Best Regards,

Thank you

Philipp Junghannß

unread,
May 19, 2021, 5:39:12 PM5/19/21
to Ahmad Syarif, FIDO Dev (fido-dev)
what is acting as the FIDO client? a computer? and also, why do you have to do Auth or anything really if presence is off at the first time?

My personal guess is that the system is trying to be smart and check whether the authenticator is registered to the site, as notably Windows 10 can sometimes prematurely tell you that the given Authenticator is not known.

Regards.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8e641b77-7b44-4cce-a106-cebfdf552670n%40fidoalliance.org.

Ahmad Syarif

unread,
May 19, 2021, 9:45:06 PM5/19/21
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Ahmad Syarif
FIDO client is a computer (browser) and FIDO authenticator is mobile application (Android / iOS) with BLE as communication channel.

So if not doing Auth at first time because "up = false", what kind of response authenticator should give at the first time?
I tried to response it with an error but Webauth.io stuck there, did not give the 2nd get assertion.

Thank you

nuno sung

unread,
May 19, 2021, 11:35:42 PM5/19/21
to FIDO Dev (fido-dev), Ahmad Syarif, FIDO Dev (fido-dev)
You should check below
- Why platform may send up=false first
- I guess your signature is generated by some kind of OS' SE and always request userVerification. Maybe you can consider below suggestion as uv=false in your case due to this up=false response should not be send to server or server should consider this as invalid response.
Ahmad Syarif 在 2021年5月20日 星期四上午9:45:06 [UTC+8] 的信中寫道:

Ahmad Syarif

unread,
May 20, 2021, 5:57:53 AM5/20/21
to FIDO Dev (fido-dev), nuno sung, Ahmad Syarif, FIDO Dev (fido-dev)
Thank you, appreciate your help
Reply all
Reply to author
Forward
0 new messages