Calling WebAuthN from Custom Credential provider
754 views
Skip to first unread message
Milos Kuchar
Mar 10, 2021, 5:24:55 AM3/10/21
to fido...@fidoalliance.org
Hi team,
I am trying to call WebAuthN using an embedded browser (chromium) from my custom Windows Credential Provider and it doesn't work. It is failing on getting GUI using CredentialUIBroker.exe
In the Windows EventLog I see an event:
Ctap Function: ProcessWebAuthNCommandCallback Location: Stop
Error: 0x8000401A. The server process could not be started because the configured identity is incorrect. Check the username and password.Ctap Function: ProcessWebAuthNCommandCallback Location: Stop
Please is that possible at all? How are Windows doing that in their native implementation?
Thank you very much!
Milos
John Bradley
Mar 10, 2021, 8:41:57 AM3/10/21
to Milos Kuchar, FIDO Dev (fido-dev), Akshay Kumar
Someone from Microsoft can give you a more official answer.
From talking to several people who have tried to do what you are doing, effectively you cannot use the WebAuthn API from a custom credential provider. The problem from what I understand is mostly UI related to the lock screen.
Microsoft's provider has custom she'll code to provide the appropriate UI.
I know someone who managed to experimentally authenticate with a bio authenticator by guessing when they should touch, but PIN was impossible and bio impractical.
The workaround is to directly include the Fido client in the credential provider via libfido2 or something else.
That works because the credential provider runs at an elevated privilage. The downside is that the platform authenticator is not available.
I don't know if Microsoft intends to change things so that a embedded chromium browser has working access to the WebAuthn.dll when running in a Credential provider.
Their are a number of people looking for that.
Regards
John B.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAMPzh%3DeJXZBds9XBeEf%2BFj7uc_VbeV3YrdY86q-L8fcckQRwvg%40mail.gmail.com.
Eldan Ben Haim
Mar 10, 2021, 8:47:41 AM3/10/21
to John Bradley, Akshay Kumar, FIDO Dev (fido-dev), Milos Kuchar
For the platform provider — this goes through the MS NGC KSP. It’s rather easy to identify the actual key and container name used.
There are private APIs and IPC calls that
allow you to invoke bio auth and get the events you need to implement your own UI, then use the Bio Auth ticket (or PIN) to authenticate to the KSP key.
Note however that all of this can break when MS decides to change the implementation (however it’s been relatively stable for the past couple of years).
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAANoGhKKq8iWF9AtDM4%2BDFHFxMzWtXn1Q4hT3WMkcd9PKw3muw%40mail.gmail.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages