Move clientPin to device in between
46 views
Skip to first unread message
August Tenon
Aug 3, 2022, 9:46:30 AM8/3/22
to FIDO Dev (fido-dev)
Hi,
I am looking at version CTAP 2.0 January 30 and have a question about clientPin.
Is it possible to move the clientPin away from the client?
Say for example that we have a system between the client and the authenticator that forwards information between the two nodes. Could this device remove clientPin from the getInfo response and then append pinAuth to commands so that the middle device is responsible for the pin part?
It seems like it would be possible for the device in the middle to fetch the pinToken and then append pinAuth by calculating HMAC-SHA-256(pinToken, clientDataHash) when receiving a command.
Other variable like clientDataHash and authData are signed to prevent modification, but it seems like pinAuth isn't protected in this way.
I am looking at version CTAP 2.0 January 30 and have a question about clientPin.
Is it possible to move the clientPin away from the client?
Say for example that we have a system between the client and the authenticator that forwards information between the two nodes. Could this device remove clientPin from the getInfo response and then append pinAuth to commands so that the middle device is responsible for the pin part?
It seems like it would be possible for the device in the middle to fetch the pinToken and then append pinAuth by calculating HMAC-SHA-256(pinToken, clientDataHash) when receiving a command.
Other variable like clientDataHash and authData are signed to prevent modification, but it seems like pinAuth isn't protected in this way.
Philipp Junghannß
Aug 15, 2022, 10:07:37 PM8/15/22
to August Tenon, FIDO Dev (fido-dev)
So basically doing something similar to a smartcard reader with a secure Keypad?
I like the idea (and there are smartcard style FIDO2 devices too so it seems plausible like that too)
honestly I don't know whether this actually works, I think this would need to be tested, but sounds like fun.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/48fa7f99-22a9-4146-9113-018d7444a002n%40fidoalliance.org.
nuno sung
Aug 16, 2022, 12:52:11 AM8/16/22
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), August Tenon
https://w3c.github.io/webauthn/#sctn-client-authenticator-proximity
If the client allows or includes such kind of implementation, I think it falls within the risk assessment of the client trusting this middleware (hardware or software). The authenticator can only respond to the same CID of HID or pairing/encryption mode of BLE or per applet selection of NFC as a basic check.
My1 在 2022年8月16日 星期二上午10:07:37 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages