Re: [FIDO-DEV] Digest for fido-dev@fidoalliance.org - 3 updates in 1 topic

[felicia...@gmail.com]

Help me understand 

Sent from Yahoo Mail for iPhone

On Tuesday, July 8, 2025, 9:20 PM, fido...@fidoalliance.org wrote:

fido...@fidoalliance.org

Google Groups

Topic digest
View all topics

• User Presence (UP) checks and NFC - 3 Updates

User Presence (UP) checks and NFC

My1 <teamhyd...@gmail.com>: Jul 08 07:44PM +0200 Hello again,   I have a clarification question.   CTAP defines for NFC devices that there is supposed to be a user presence flag that 1) can only be used once 2) expires 2 minutes after putting the fido2-device on the reader   now the question who is supposed to observe and enforce this? the authenticator or the platform?   As after some tests none of the (admittedly pretty few) Authenticators that I own that actually have NFC actually observes these on their own e.g. when using fido2-cred/assert or a tool called fido2-hid-bridge (a simple tool bridging NFC devices over to HID so Linux browsers can interact)   meaning that as far as I have seen the enforcement seems to be primarily on the platform, is that correct?   I tested: Solokeys Solo NFC Yubikey 5 (5.1.2) Yubico Security Key NFC (5.2.4) Token2 PIN+ as well as older NFC-enabled keys

John Bradley <ve7...@ve7jtb.com>: Jul 08 12:12PM -0700 The authenticator is supposed to enforce it.   The expiry time of UP was under specified in CTAP2.0. You should be testing CTAP2.1 authenticators to see the behavior enforced.   CTAP2.1 and later authenticators not implementing an internal 2min timer for UP should fail certification.   Note CTAP2.1Pre authenticators were tested against CTAP2.0 requirements and should fail the CTAP2.1 conformance tests if they implement the pin protocol.   John B   Sent from my iPhone   On Jul 8, 2025, at 10:45 AM, My1 <teamhyd...@gmail.com> wrote:      Hello again,   I have a clarification question.   CTAP defines for NFC devices that there is supposed to be a user presence flag that   1) can only be used once   2) expires 2 minutes after putting the fido2-device on the reader   now the question who is supposed to observe and enforce this? the authenticator or the platform?   As after some tests none of the (admittedly pretty few) Authenticators that I own that actually have NFC actually observes these on their own eg when using fido2-cred/assert or a tool called fido2-hid-bridge (a simple tool bridging NFC devices over to HID so Linux browsers can interact)   meaning that as far as I have seen the enforcement seems to be primarily on the platform, is that correct?   I tested:   Solokeys Solo NFC   Yubikey 5 (5.1.2)   Yubico Security Key NFC (5.2.4)   Token2 PIN+ as well as older NFC-enabled keys   --   You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.   To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.   To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNpufqWTW15ehwxje15UghzbnYKCK0B9%3DThaKCKF3jTBOw%40mail.gmail.com.

My1 <teamhyd...@gmail.com>: Jul 08 10:19PM +0200 was the single use part of the flag also just in 2.1 or also in 2.0?   at the very least the PIN+ keys from Token2 are as far as I am aware CTAP2.1 (without pre), on those I also noticed that the authenticatorReset command also as far as I remember works WAY after the 10-15 seconds have passed, something which has been defined as something that shouldnt happen from the earliest version of ctap2.1 I can find (fido-v2.1-rd-20191217)   most of my other FIDO2 keys are in actual use so not really something I'd wanna reset.

Back to top

You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page. To unsubscribe from this group and stop receiving emails from it send an email to fido-dev+u...@fidoalliance.org.