Re: [FIDO-DEV] Digest for fido-dev@fidoalliance.org - 8 updates in 2 topics

[March conrad Maramag]

Why do I receiving this..am I part of the dev group?

On Thu, Dec 8, 2022, 3:59 PM <fido...@fidoalliance.org> wrote:

fido...@fidoalliance.org

Google Groups

Topic digest
View all topics

• Filter Passkey alone in Configuration - 7 Updates
• Abridged summary of fido...@fidoalliance.org - 3 updates in 2 topics - 1 Update

Filter Passkey alone in Configuration

Sabarinathan Eaganathan <mail2sa...@gmail.com>: Dec 08 03:28AM -0800 HI all, In our service we are giving Yubikey as second factor already,and now we given support for configuring Passkey as first factor. How to stop configuring Passkey(Mobile based security key) by clicking Yubikey in our service. As i explored there is not such differentiation for Passkey over security key. We do only have differentiation for platform and cross-platform authenticators.   We even not getting AAGUID for Passkey devices.   The Transport data which will be (usb,nfc) for security key devices it will be (cable,hybrid,internal) for Passkey devices. But we are not getting transport data too while configuring Passkey most times. Browser is not giving Transport data to us. Hence we are struggling for filtering Hardware key and Passkey(Mobile based Authenticator).   1) either we need to show Allowed transport based configuration filtering 2)Or we must need AAGUID for restricting configurations   Can anyone say a solution for our use case.

My1 <teamhyd...@gmail.com>: Dec 08 12:48PM +0100 shouldnt setting cross-plat do the trick, as I would expect a passkey to be platform by definition.   Am Do., 8. Dez. 2022 um 12:28 Uhr schrieb Sabarinathan Eaganathan <

Sabarinathan Eaganathan <mail2sa...@gmail.com>: Dec 08 05:41AM -0800 Hi , Replying to above thread,we need QR based passkey configuration which can be done via Mobile which is cross-platform authenticator type. So, we cant seperate this via 'platform' authenticator selection. Please suggest a solution for this team   Regards, Sabarinathan.e On Thursday, December 8, 2022 at 5:19:06 PM UTC+5:30 My1 wrote:

Tim Cappalli <Tim.Ca...@microsoft.com>: Dec 08 03:07PM You can reject a registration for authenticators that do not meet your requirements (by looking at attestations).   From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Sabarinathan Eaganathan <mail2sa...@gmail.com> Date: Thursday, December 8, 2022 at 08:41 To: FIDO Dev (fido-dev) <fido...@fidoalliance.org> Cc: My1 <teamhyd...@gmail.com>, FIDO Dev (fido-dev) <fido...@fidoalliance.org>, Sabarinathan Eaganathan <mail2sa...@gmail.com> Subject: Re: [FIDO-DEV] Filter Passkey alone in Configuration Hi , Replying to above thread,we need QR based passkey configuration which can be done via Mobile which is cross-platform authenticator type. So, we cant seperate this via 'platform' authenticator selection. Please suggest a solution for this team   Regards, Sabarinathan.e On Thursday, December 8, 2022 at 5:19:06 PM UTC+5:30 My1 wrote: shouldnt setting cross-plat do the trick, as I would expect a passkey to be platform by definition.   Am Do., 8. Dez. 2022 um 12:28 Uhr schrieb Sabarinathan Eaganathan <mail2sa...@gmail.com>: HI all, In our service we are giving Yubikey as second factor already,and now we given support for configuring Passkey as first factor. How to stop configuring Passkey(Mobile based security key) by clicking Yubikey in our service. As i explored there is not such differentiation for Passkey over security key. We do only have differentiation for platform and cross-platform authenticators.   We even not getting AAGUID for Passkey devices.   The Transport data which will be (usb,nfc) for security key devices it will be (cable,hybrid,internal) for Passkey devices. But we are not getting transport data too while configuring Passkey most times. Browser is not giving Transport data to us. Hence we are struggling for filtering Hardware key and Passkey(Mobile based Authenticator). 1) either we need to show Allowed transport based configuration filtering 2)Or we must need AAGUID for restricting configurations   Can anyone say a solution for our use case.     -- You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group. To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org. To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7d74e212-8c4d-4eca-8a0d-61ae369fd85cn%40fidoalliance.org<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fd%2Fmsgid%2Ffido-dev%2F7d74e212-8c4d-4eca-8a0d-61ae369fd85cn%2540fidoalliance.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C6e9ead8b14b942b4809b08dad921f08d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638061037057569996%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1lUhHqnV76ZlfoGEBV%2B%2FlKG5dN1Yzk3QumJAZ8aw%2FH4%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group. To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>. To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/90baa96e-6d8e-44bb-babe-47976b55e345n%40fidoalliance.org<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fd%2Fmsgid%2Ffido-dev%2F90baa96e-6d8e-44bb-babe-47976b55e345n%2540fidoalliance.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C6e9ead8b14b942b4809b08dad921f08d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638061037057569996%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qD0LXP2Zi0TYz%2Fj9oMtFLYpZU3FfF8Z8BHF8LGc%2BhtY%3D&reserved=0>.

Sandeep Dhankar <sandeep...@okta.com>: Dec 08 07:31AM -0800 The Paaskeys do not have attestation and without that it is not possible to identify the Authenticator reliably. However assuming that the Authenticator is following the spec, it should be setting the backupEligibilty and/or backupState but which can be used to deduce if it’s a Passkey.   On Thu, Dec 8, 2022 at 7:08 AM 'Tim Cappalli' via FIDO Dev (fido-dev) <

Tim Cappalli <Tim.Ca...@microsoft.com>: Dec 08 03:33PM Yes, and if you only want to allow Yubikeys, reject any registrations that are not Yubikeys (which would include those without attestations).   (Disclaimer: not something I would recommend. Just answering the original question.)     From: Sandeep Dhankar <sandeep...@okta.com> Date: Thursday, December 8, 2022 at 10:31 To: Tim Cappalli <Tim.Ca...@microsoft.com> Cc: FIDO Dev (fido-dev) <fido...@fidoalliance.org>, My1 <teamhyd...@gmail.com>, Sabarinathan Eaganathan <mail2sa...@gmail.com> Subject: Re: [FIDO-DEV] Filter Passkey alone in Configuration The Paaskeys do not have attestation and without that it is not possible to identify the Authenticator reliably. However assuming that the Authenticator is following the spec, it should be setting the backupEligibilty and/or backupState but which can be used to deduce if it’s a Passkey.   On Thu, Dec 8, 2022 at 7:08 AM 'Tim Cappalli' via FIDO Dev (fido-dev) <fido...@fidoalliance.org<mailto:fido...@fidoalliance.org>> wrote:   This message originated outside your organization.   ________________________________   You can reject a registration for authenticators that do not meet your requirements (by looking at attestations).   From: fido...@fidoalliance.org<mailto:fido...@fidoalliance.org> <fido...@fidoalliance.org<mailto:fido...@fidoalliance.org>> on behalf of Sabarinathan Eaganathan <mail2sa...@gmail.com<mailto:mail2sa...@gmail.com>> Date: Thursday, December 8, 2022 at 08:41 To: FIDO Dev (fido-dev) <fido...@fidoalliance.org<mailto:fido...@fidoalliance.org>> Cc: My1 <teamhyd...@gmail.com<mailto:teamhyd...@gmail.com>>, FIDO Dev (fido-dev) <fido...@fidoalliance.org<mailto:fido...@fidoalliance.org>>, Sabarinathan Eaganathan <mail2sa...@gmail.com<mailto:mail2sa...@gmail.com>> Subject: Re: [FIDO-DEV] Filter Passkey alone in Configuration Hi , Replying to above thread,we need QR based passkey configuration which can be done via Mobile which is cross-platform authenticator type. So, we cant seperate this via 'platform' authenticator selection. Please suggest a solution for this team   Regards, Sabarinathan.e On Thursday, December 8, 2022 at 5:19:06 PM UTC+5:30 My1 wrote: shouldnt setting cross-plat do the trick, as I would expect a passkey to be platform by definition.   Am Do., 8. Dez. 2022 um 12:28 Uhr schrieb Sabarinathan Eaganathan <mail2sa...@gmail.com<mailto:mail2sa...@gmail.com>>: HI all, In our service we are giving Yubikey as second factor already,and now we given support for configuring Passkey as first factor. How to stop configuring Passkey(Mobile based security key) by clicking Yubikey in our service. As i explored there is not such differentiation for Passkey over security key. We do only have differentiation for platform and cross-platform authenticators.   We even not getting AAGUID for Passkey devices.   The Transport data which will be (usb,nfc) for security key devices it will be (cable,hybrid,internal) for Passkey devices. But we are not getting transport data too while configuring Passkey most times. Browser is not giving Transport data to us. Hence we are struggling for filtering Hardware key and Passkey(Mobile based Authenticator). 1) either we need to show Allowed transport based configuration filtering 2)Or we must need AAGUID for restricting configurations   Can anyone say a solution for our use case.   -- You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group. To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev%2Bu...@fidoalliance.org>. To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7d74e212-8c4d-4eca-8a0d-61ae369fd85cn%40fidoalliance.org<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fgroups.google.com*2Fa*2Ffidoalliance.org*2Fd*2Fmsgid*2Ffido-dev*2F7d74e212-8c4d-4eca-8a0d-61ae369fd85cn*2540fidoalliance.org*3Futm_medium*3Demail*26utm_source*3Dfooter%26data%3D05*7C01*7Ctim.cappalli*40microsoft.com*7C6e9ead8b14b942b4809b08dad921f08d*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638061037057569996*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C%26sdata%3D1lUhHqnV76ZlfoGEBV*2B*2FlKG5dN1Yzk3QumJAZ8aw*2FH4*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!4-Dsky28nn-5FeY-pfH3JqoFrH37AWGD8at_gS4L_aYTVEGiMPaIDUMjrvKz7x1grcrQbcNqM_xuN4FXxPT89kbOKw%24&data=05%7C01%7CTim.Cappalli%40micro soft.com%7Cd57914a7929d4706cbcd08dad931410a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638061102872505522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=i0TY%2BmiZpvgrKHrlOZKCdVGxl2lv0bZNkx%2Bw0pkCEDA%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group. To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>. To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/90baa96e-6d8e-44bb-babe-47976b55e345n%40fidoalliance.org<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fgroups.google.com*2Fa*2Ffidoalliance.org*2Fd*2Fmsgid*2Ffido-dev*2F90baa96e-6d8e-44bb-babe-47976b55e345n*2540fidoalliance.org*3Futm_medium*3Demail*26utm_source*3Dfooter%26data%3D05*7C01*7Ctim.cappalli*40microsoft.com*7C6e9ead8b14b942b4809b08dad921f08d*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638061037057569996*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C%26sdata%3DqD0LXP2Zi0TYz*2Fj9oMtFLYpZU3FfF8Z8BHF8LGc*2BhtY*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!PwKahg!4-Dsky28nn-5FeY-pfH3JqoFrH37AWGD8at_gS4L_aYTVEGiMPaIDUMjrvKz7x1grcrQbcNqM_xuN4FXxPTWPI_tiw%24&data=05%7C01%7CTim.Cappalli%40microsoft .com%7Cd57914a7929d4706cbcd08dad931410a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638061102872505522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UzHS1gSTTYEz%2FOHvmyr1C2e7IIPQLnDZ%2F7h%2F7Of4kNo%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group. To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>. To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/DM6PR00MB04739608D929FE9B560B90B1951D9%40DM6PR00MB0473.namprd00.prod.outlook.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fd%2Fmsgid%2Ffido-dev%2FDM6PR00MB04739608D929FE9B560B90B1951D9*40DM6PR00MB0473.namprd00.prod.outlook.com%3Futm_medium%3Demail%26u tm_source%3Dfooter__%3BJQ!!PwKahg!4-Dsky28nn-5FeY-pfH3JqoFrH37AWGD8at_gS4L_aYTVEGiMPaIDUMjrvKz7x1grcrQbcNqM_xuN4FXxPTiNVgK0Q%24&data=05%7C01%7CTim.Cappalli%40microsoft.com%7Cd57914a7929d4706cbcd08dad931410a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638061102872505522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NuJXYMVwEdlIvmccgX1HDKGarClLaXmyS40kScWUzq4%3D&reserved=0>.

Cody Salas <c.s...@yubico.com>: Dec 08 11:55AM -0600 If there's interest, Yubico has some material around this use case - https://developers.yubico.com/WebAuthn/Concepts/Authenticator_Management/ <https://developers.yubico.com/WebAuthn/Concepts/Authenticator_Management/>   It essentially boils down to what has been discussed above:   1. Configure an allow list in your relying party - The example above leverages AAGUIDs 2. Capture attestation from the registration ceremony 3. Send the registration to your relying party where it will either: - Accept the registration if the attestation matches what is set in your allow list - Reject the registration otherwise   The material also outlines some pros, cons, and pitfalls to a few different approaches. Hope it helps.   Cheers,   Cody Salas Developer Advocate | Yubico <http://www.yubico.com/>     On Thu, Dec 8, 2022 at 9:33 AM 'Tim Cappalli' via FIDO Dev (fido-dev) <

Back to top

Abridged summary of fido...@fidoalliance.org - 3 updates in 2 topics

"Perla nallely Guadalupe Alejandre Ramón" <nallelyale...@gmail.com>: Dec 08 01:36AM -0600 Cómo bien pueden ver ya avance con mi parte del trato lo cual no tienen porque tener mi dinero retenido necesito comprar un teléfono y mi material para poder empezar con mis videos pero con mi dinero retenido no puedo avanzar así que hasta que ustedes Kieran oh hasta que cansen mi paciencia y empiecen a salir los trapos al sol   El mié., 7 de diciembre de 2022 4:58 p. m., <fido...@fidoalliance.org> escribió:

Back to top

You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page. To unsubscribe from this group and stop receiving emails from it send an email to fido-dev+u...@fidoalliance.org.