On Tuesday, July 8, 2025, 9:20 PM, fido...@fidoalliance.org wrote:
- User Presence (UP) checks and NFC - 3 Updates
My1 <teamhyd...@gmail.com>: Jul 08 07:44PM +0200
Hello again,
I have a clarification question.
CTAP defines for NFC devices that there is supposed to be a user presence
flag that
1) can only be used once
2) expires 2 minutes after putting the fido2-device on the reader
now the question who is supposed to observe and enforce this? the
authenticator or the platform?
As after some tests none of the (admittedly pretty few) Authenticators that
I own that actually have NFC actually observes these on their own e.g. when
using fido2-cred/assert or a tool called fido2-hid-bridge (a simple tool
bridging NFC devices over to HID so Linux browsers can interact)
meaning that as far as I have seen the enforcement seems to be primarily on
the platform, is that correct?
I tested:
Solokeys Solo NFC
Yubikey 5 (5.1.2)
Yubico Security Key NFC (5.2.4)
Token2 PIN+ as well as older NFC-enabled keys
John Bradley <ve7...@ve7jtb.com>: Jul 08 12:12PM -0700
The authenticator is supposed to enforce it.
The expiry time of UP was under specified in CTAP2.0. You should be testing CTAP2.1 authenticators to see the behavior enforced.
CTAP2.1 and later authenticators not implementing an internal 2min timer for UP should fail certification.
Note CTAP2.1Pre authenticators were tested against CTAP2.0 requirements and should fail the CTAP2.1 conformance tests if they implement the pin protocol.
John B
Sent from my iPhone
On Jul 8, 2025, at 10:45 AM, My1 <teamhyd...@gmail.com> wrote:
Hello again,
I have a clarification question.
CTAP defines for NFC devices that there is supposed to be a user presence flag that
1) can only be used once
2) expires 2 minutes after putting the fido2-device on the reader
now the question who is supposed to observe and enforce this? the authenticator or the platform?
As after some tests none of the (admittedly pretty few) Authenticators that I own that actually have NFC actually observes these on their own eg when using fido2-cred/assert or a tool called fido2-hid-bridge (a simple tool bridging NFC devices over to HID so Linux browsers can interact)
meaning that as far as I have seen the enforcement seems to be primarily on the platform, is that correct?
I tested:
Solokeys Solo NFC
Yubikey 5 (5.1.2)
Yubico Security Key NFC (5.2.4)
Token2 PIN+ as well as older NFC-enabled keys
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNpufqWTW15ehwxje15UghzbnYKCK0B9%3DThaKCKF3jTBOw%40mail.gmail.com.
My1 <teamhyd...@gmail.com>: Jul 08 10:19PM +0200
was the single use part of the flag also just in 2.1 or also in 2.0?
at the very least the PIN+ keys from Token2 are as far as I am aware
CTAP2.1 (without pre), on those I also noticed that the authenticatorReset
command also as far as I remember works WAY after the 10-15 seconds have
passed, something which has been defined as something that shouldnt happen
from the earliest version of ctap2.1 I can find (fido-v2.1-rd-20191217)
most of my other FIDO2 keys are in actual use so not really something I'd
wanna reset.
You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page.
To unsubscribe from this group and stop receiving emails from it send an email to fido-dev+u...@fidoalliance.org.