Comparing authenticatorVersion and firmware version

[CyrilCadoux]

Hi,
I am currently trying to refine my metadata service filtering. The goal would be to accept devices under UPDATE_AVAILABLE status, as long as the authenticatorVersion provided by the device itself is at least equals to the one given by the StatusEntry.

So far, I haven't found the way to retrieve information provided by the device itself. Is it even possible to do it with this library ? If yes, could you please indicate me where is this information available ?

Thanks a lot !

Cyril

[emlun]

Hi! An authenticatorVersion isn't available at all in the responses returned from most authenticators, so no, that would be impossible. If anything it would have to be embedded in the attestation certificate somehow, but I don't know of a standardized format for it.

I think the authenticatorVersion in the MDS is primarily meant for use with UAF devices, which report a lot more information than U2F/CTAP2 devices do. U2F/CTAP2 attestations don't include things like authenticatorVersion to prevent tracking users, and because most U2F/CTAP2 authenticators don't support firmware updates.

[CyrilCadoux]

Thanks for your answer !

But now I am wondering, what if a device is marked as compromised by the metadata service, is then patched, and gets an UPDATE_AVAILABLE status ?
Is it impossible for me to see if the user's token has been updated and contains the fix ?

[emlun]

In WebAuthn, yes, it is probably impossible. In UAF it might be possible, but WebAuthn is not compatible with UAF. I can think of one possible exception: the tpm attestation statement format includes a certInfo field which includes a firmwareVersion attribute (see section 10.12.8 of Trusted Platform Module Library, Part 2: Structures), which might be possible to compare with authenticatorVersions in the MDS. But other attestation statement formats don't define a way to convey firmware version, other than through some unstandardized X.509 certificate extension.

The most likely scenario in practice is that most authenticators either do not support firmware updates at all (including most external authenticators, like YubiKeys), or will likely update automatically soon after the update becomes available (including most platform authenticators in smartphones and similar). Authenticators that don't support firmware updates will in practice not get UPDATE_AVAILABLE status updates, instead they'll more likely have one of the *_COMPROMISE statuses.

[CyrilCadoux]

Ok, then I will just keep on checking the presence of a FIDO_CERTIFIED* status and check that the last status is not _COMPROMISE.
Thanks a lot