FIDO2 - De-register an Authenticator
717 views
Skip to first unread message
Krishnan
Jun 25, 2019, 8:05:23 AM6/25/19
to FIDO Dev (fido-dev)
Hi,
How can a user de-register their authenticator ?
Assume, there can be multiple authenticators for one user for one RP, and he should be able to deregister one of them.
How can we do it in FIDO2. and does webauthn has any API to do this?
Thanks in advance,
Krishnan. G
Emil Lundberg
Jun 25, 2019, 8:34:31 AM6/25/19
to fido...@fidoalliance.org
Hi,
There's no API for this in WebAuthn, since the RP just needs to delete
the public key from the users table (or wherever the RP chooses to store
users' public keys) to de-register the credential. CTAP2 has an
authenticatorCredentialManagement command that can be used to delete
resident keys from an authenticator; non-resident (U2F-style)
credentials don't need to be deleted from the authenicator since they're
not stored there.
/Emil
> Disclaimer:
> The contents of this email and any attachments are confidential. They
> are intended for the named recipient(s) only. If you have received this
> email by mistake, please notify the sender immediately and do not
> disclose the contents to anyone or make copies thereof.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b3ea4da0-3f4a-4797-81f5-4432a86892d7%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b3ea4da0-3f4a-4797-81f5-4432a86892d7%40fidoalliance.org?utm_medium=email&utm_source=footer>.
There's no API for this in WebAuthn, since the RP just needs to delete
the public key from the users table (or wherever the RP chooses to store
users' public keys) to de-register the credential. CTAP2 has an
authenticatorCredentialManagement command that can be used to delete
resident keys from an authenticator; non-resident (U2F-style)
credentials don't need to be deleted from the authenicator since they're
not stored there.
/Emil
> The contents of this email and any attachments are confidential. They
> are intended for the named recipient(s) only. If you have received this
> email by mistake, please notify the sender immediately and do not
> disclose the contents to anyone or make copies thereof.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b3ea4da0-3f4a-4797-81f5-4432a86892d7%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b3ea4da0-3f4a-4797-81f5-4432a86892d7%40fidoalliance.org?utm_medium=email&utm_source=footer>.
Arshad Noor
Jun 25, 2019, 9:52:56 AM6/25/19
to Krishnan, FIDO Dev (fido-dev)
One way to address this problem is to create a "FIDO2 Key Management"
panel within your application. However, it can only help you delete
keys at a specific RP site, but not necessarily delete keys on the
Authenticator - unless the device manufacturer provides a tool for such
a purpose.
A public demo of an open-source "proof-of-concept" web-application is
available at https://fido2.strongkey.com. Register a key there, sign-in
and then go onto the "My Profile" page. You can continue to "add" and
"delete" keys on this panel. This POC web-application is available to
download at github.com/strongkey.
Arshad Noor
StrongKey
panel within your application. However, it can only help you delete
keys at a specific RP site, but not necessarily delete keys on the
Authenticator - unless the device manufacturer provides a tool for such
a purpose.
A public demo of an open-source "proof-of-concept" web-application is
available at https://fido2.strongkey.com. Register a key there, sign-in
and then go onto the "My Profile" page. You can continue to "add" and
"delete" keys on this panel. This POC web-application is available to
download at github.com/strongkey.
Arshad Noor
StrongKey
Krishnan
Jun 26, 2019, 8:00:06 AM6/26/19
to FIDO Dev (fido-dev), krishna...@imaginea.com, arsha...@strongkey.com
Thank you for your response.
Krishnan
Jun 26, 2019, 8:00:32 AM6/26/19
to FIDO Dev (fido-dev)
Thank you for your response.
> an email to fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>.
hetin k
Aug 5, 2022, 8:54:43 AM8/5/22
to FIDO Dev (fido-dev), Emil Lundberg
Hi All,
What could be the reason for webauthn does not come up with deresistration api to delete credential
at authenticator side like api to create credential?
Anyone have any example to call CTAP2
authenticatorCredentialManagement command in web application
Thanks
Philipp Junghannß
Aug 5, 2022, 9:25:12 AM8/5/22
to hetin k, FIDO Dev (fido-dev), Emil Lundberg
save for resident credentials there really is no point (or even way) to "deregister" a fido device as the device does not store anything related to the credential.
with normal credentials the device just has a single master key and when registering it generates credential data and throws all it needs to re-generate that credential data in a way that requires the master key (either by encrypting the data, or by using a CSPRNG which is fed both a random value and that master key) and throws that needed data into the credential-ID (or key handle for those that still remember U2F).
and generally speaking the credential cannot be deleted from the device itself as it does not exist on the device in the first place.
The only way to make the credential ID actually unusable would be a full reset of the FIDO device which clears that master key (which is usually only possible on FIDO2 devices, u2f devices don't have a way to do that), but when clearing that ALL credentials it has had will be unusable.
for resident credentials it might have been useful but FIDO2.1 added a credential management feature which allows to remove resident credentials directly from the device (but needs the PIN to authenticate the action. In my opinion that move is a little late as FIDO2.0 devices are kinda screwed as once the limit is reached the only way to add new resident creds is by going CD-RW style and wiping everything which is just bonkers in my opinion
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/85b669a4-7e23-4a45-be2d-6419137643bfn%40fidoalliance.org.
Emil Lundberg
Aug 5, 2022, 9:29:52 AM8/5/22
to hetin k, FIDO Dev (fido-dev)
In essence, because it's very complicated for external authenticators that are intermittently connected (especially true for NFC), and because it's not really necessary. Non-resident keys can't be deleted nor do they need to, because they're not stored on the authenticator. Resident keys get overwritten if you register a new one with the same RP ID and user handle. And if you do run out of storage space (not likely for platform authenticators, which typically have lots of it), there's credential management in CTAP2.1 so you can manually clear space if you need to.
Emil Lundberg
Software Engineer | Yubico
Reply all
Reply to author
Forward
0 new messages