WebAuthn APIs for password-less authentication on Windows 10

[Moozoo]

Hi

Reading https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis

Am I correct that if you are creating a desktop application or a web browser you should be using the native Windows 10 WebAuthn APIs and not attempting to use CTAP2 over usb/nfc/bluetooth

I've seen that FireFox will be using the native apis https://blog.mozilla.org/security/tag/webauthn/, will chrome be switching to it?

Does anyone know if Microsoft will be supporting nfc fido keys with Windows 10 Hello?

Is a linux version of this api being created?

As per the webauthn.h file at https://github.com/Microsoft/webauthn 

Regards Michael

[John Bradley]

All browsers and apps must use the Windows API  on Windows 10 2019H1  and later.

Chrome detects the Windows version and uses the API when available.

Direct access to CTAP1/2 is blocked over all transports for apps not running with Admin privileges.

Microsoft has supported NFC keys since 2018H2.  You just need a widows compatible CCID reader. 

Chrome and FireFox get NFC support on 2019H1 via using the OS API.

Having OS level WebAuthn support in Linux distributions would be great,  getting Linux distributions to agree on something like that might be a challenge. 

John B.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/2aacf18d-24ea-4454-867f-3809c23fc4d4%40fidoalliance.org.

[Kobus Grobler]

>Direct access to CTAP1/2 is blocked over all transports for apps not running with Admin privileges.

I had a look at the Webauthn header (https://github.com/microsoft/webauthn/blob/master/webauthn.h) and hopefully before access is blocked the full CTAP api is exposed somewhere.

Missing for instance is the CTAP Reset and PIN management commands.

How will other defined extensions be handled?

Will Admin privileges really be required for an app provided by the authenticator vendor to allow a user to manage his device?

There are some functionality not even specified in Webauthn, for instance, how can a user remove resident keys from his device (in order to make space available)? Update firmware?

This is usually done with a vendor app using vendor specific commands - and now this app will be blocked?

Imagine the following support nightmare:

User: Help, I forgot my PIN!

Vendor: Use our app to reset your authenticator.

User: It does not work.

...

(some 5 emails later on why it "does not work")

Vendor: Uhm... are you running as Admin user?

User: No, I'm on AD domain and do not have admin rights (or "what is Admin user".

Vendor: Throw it away to join the landfill now already filled with Google Titan keys that had a bug but could not be updated.

I'm sure there are some good technical reasons for controlling access to the transport and having a standard interface, but then the control API needs to be complete.

Maybe I'm missing something or am the only one seeing problems here, but I would like some input from Microsoft on this.

Thanks

--

Kobus Grobler

https://ellipticsecure.com

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b1c43d87-4e83-0964-86ad-81118900b8d1%40ve7jtb.com.

[Moozoo]

In Windows 10 1903 Security key Reset and PIN management is done via Windows Hello. You click on Security Keys and then Click Manage.

Note that for me at least it says Security Keys are for "app logins: (e.g. Edge and Firefox) and not windows login or screen unlock. Which is disappointing because that's what I want for home (non-azure/ business) use..

I'm wondering if this is a precursor to blocking libusb and so on. To block direct access to a usb authenticator don't they need to block low level usb access.