Hi all, I've been facing some issues when testing the latest Firefox builds on macOS and have traced the point of deviation to checking of the capabilities reported by my device.
The FIDO2.0 spec indicates 3 capability flags
- CAPABILITY_WINK (If set to 1, authenticator implements CTAPHID_WINK function)
- CAPABILITY_CBOR (If set to 1, authenticator implements CTAPHID_CBOR function)
- CAPABILITY_NMSG (If set to 1, authenticator DOES NOT implement CTAPHID_MSG function)
I'm trying to understand the exact meaning of the CAPABILITY_NMSG flag. Does setting this flag indicate anything about the protocols supported (ie. U2F vs FIDO2)? Further, is this setting related to the version strings reported by the device?
From my testing, it seems like Firefox uses the capabilities flags to decide whether to use U2F or CTAP2. My device supports CTAPHID messages (for some legacy reasons), but does not support U2F auth. Is this valid?
Any clarification would be appreciated!