Handling Platform Authenticator State Changes
56 views
Skip to first unread message
johnsm...@gmail.com
May 23, 2022, 11:54:45 AM5/23/22
to FIDO Dev (fido-dev)
Hi
For example these events can occur:-
I'm looking for guidance - if any specified - on understand how OS level events interact with an enrolled FIDO2 authenticator.
For example these events can occur:-
1. A user who adds a new biometric (replacing a previous instance of the same biometric).
2. A user removes screen lock security.
How is this handled for a FIDO2 Platform Authenticator? Is the expectation for queries/checks to be made via OS APIs to detect this occurred and then relevant policy action taken e.g. to re-enroll?
Apologies if this is a relatively naive question - i've looked through a number of docs but found nothing explicit.
Tim Cappalli
Jun 30, 2022, 3:37:33 PM6/30/22
to johnsm...@gmail.com, FIDO Dev (fido-dev)
I'm not aware of any platform authenticator that surfaces this information or changes behavior after these events occur for FIDO2/WebAuthn.
tim
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of johnsm...@gmail.com <johnsm...@gmail.com>
Sent: Monday, May 23, 2022 11:54
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Handling Platform Authenticator State Changes
Sent: Monday, May 23, 2022 11:54
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Handling Platform Authenticator State Changes
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e67e088a-6553-4216-82d1-e9ef991ee26en%40fidoalliance.org.
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e67e088a-6553-4216-82d1-e9ef991ee26en%40fidoalliance.org.
Philipp Junghannß
Jun 30, 2022, 3:46:17 PM6/30/22
to Tim Cappalli, johnsm...@gmail.com, FIDO Dev (fido-dev)
When axing lock security entirely on android is something i need to test but tbh i wouldn't be surprised if the credentials get axed as most if not all other credentials supported by the lockscreen security get thrown out as well.
Changing fingerprints is unlikely to affect anything on Android as webauthn on Android has a fallback to classic lockscreen input for webauthn (aka you can just enter your pin/pattern/password for example if your fp scanner is dirty or whatever)
Similarly (if anyone cares) the few roaming authenticators with fp scanner i own are supporting change of fingerprints and also removal of all fingerprints (where it'll just use the pin, which has to be set for fp management anyway) is no problem but similar to normal fido2 sticks you cannot remove the pin without resetting the entire thing.
Regards
My1
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/DM6PR00MB047636F921E851BA8113FBA395BA9%40DM6PR00MB0476.namprd00.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages