Assigning Serial Number
204 views
Skip to first unread message
J B
Feb 22, 2023, 1:00:15 AM2/22/23
to FIDO Dev (fido-dev)
The USB spec allows for writing several descriptors including manufacturer name, product name, and notably serial number. I know there are privacy concerns with exposing the serial number of a device and associating it with multiple accounts for the same user.
I believe this is not a concern since the USB descriptor cannot be read over CTAP2, but I was hoping to confirm that here since I'm a bit paranoid about vulnerabilities.
I believe this is not a concern since the USB descriptor cannot be read over CTAP2, but I was hoping to confirm that here since I'm a bit paranoid about vulnerabilities.
John Bradley
Feb 22, 2023, 6:16:57 PM2/22/23
to FIDO Dev (fido-dev), J B
The serial number is only available on special enterprise keys via the enterprise attestation extension after the user consents to disclose that information in the browser via an appropriately scary browser or OS dialogue.
For regular keys no serial number is exposed over the web to the RP via CTAP or WebAuthn.
A privileged application on the device could read and write non CTAP information from the authenticator if it is available.
If someone has an app on your device with access to USB there are other things they can probably also get unique identifiers from.
There is no risk over Webauthn of disclosing that information to a RP.
My1
Feb 22, 2023, 7:01:00 PM2/22/23
to John Bradley, FIDO Dev (fido-dev), J B
I think some of the best ppl to ask about how to implement non-fido serial numbers if needed might be yubico, as the Yubikeys have a serial number (no idea about the Yubico Security Key Series) which is exposed to the computer iirc in several ways that aren't WebAuthn and may help explaining on what places may work well or not or give general info about the subject, as it definitely is a touchy subject, for good reason.
but I generally concur with Mr. Bradley that there shouldn't be too much obvious harm in having the SN exposed via some interface, my biggest concern might be that the 3 major Platform holders, Apple, MS and Google all deal with Personal Data and advertising in some form, but as Resident and Passkeys are a thing, allowing the client/Platform to easily see everything I think we are way past the point of concerning with the Platform holders anyway.
I know there are some ppl from Yubico on the list so if they can chime in that would be useful, as they likely have the most experience as their experience with U2F goes back to the Yubikey Neo from 2014 which is 9 years ago lol I feel old, and even with FIDO2 I would expect the Yubikey 5 to be one of the first FIDO2 Devices out there, so calling Yubico a veteran in the space might be an understatement.
Regards
My1
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4ff31b2c-9b76-4e1a-80c9-38a2c2a472dfn%40fidoalliance.org.
DUBOUCHER Thomas
Feb 23, 2023, 3:38:45 PM2/23/23
to My1, John Bradley, FIDO Dev (fido-dev), J B
The only requirements from the FIDO security requirement is the following:
4.2 - An Authenticator shall not provide information to one Relying Party that can be used to uniquely identify that Authenticator instance to a different Relying Party.
As John mentioned, it means that those information shall not be returned through the WebAuthn/CTAP interface. But they can be exposed elsewhere
USB and NFC devices often have easily visible identifying information. For instance, smartcards have a CSN (Card Serial Number) used for authentication.
Best regards,
--
Thomas Duboucher
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNqfNjXxhCDL9pC%3DodV505gPgfjhuDyAE_Fr%3Do4_kOBFXw%40mail.gmail.com.
Carlosalberto Torresaguilar
Feb 23, 2023, 4:21:24 PM2/23/23
to My1, John Bradley, FIDO Dev (fido-dev), J B
Ok
>> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4ff31b2c-9b76-4e1a-80c9-38a2c2a472dfn%40fidoalliance.org?utm_medium=email&utm_source=footer>
>> .
>
>> .
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to fido-dev+u...@fidoalliance.org.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNqfNjXxhCDL9pC%3DodV505gPgfjhuDyAE_Fr%3Do4_kOBFXw%40mail.gmail.com.
>
> --
> You received this message because you are subscribed to the Google Groups
> "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to fido-dev+u...@fidoalliance.org.
> To view this discussion on the web visit
>
Reply all
Reply to author
Forward
0 new messages