Example cred breaks with user verificaton enabled #192
Comments
|
Hi,
This is indeed a bit confusing. What is happening is that, by
specifying user verification (UV) as true or false in the request,
you are explicitly requesting UV to be enabled or disabled on an
authenticator that does not support it. According to the spec, if an
authenticator issued with a 'make credential' sees an option that is
known but not supported, it should terminate the procedure and
return CTAP2_ERR_UNSUPPORTED_OPTION.
However, if you do not specify UV but pass a valid PIN token to an
authenticator that supports clientPin, the authenticator will set
the UV bit in the signed portion of its response. In this sense, PIN
implies UV, and examples/cred is working as expected.
…-p.
|
|
But how can the token not support to not verify the user? I just tried some of the demos from this list again and on my Windows machine, when I choose user verification: discouraged it still asks for my PIN and only works after I enter it. On my Linux machine it works to register on these demo websites without being asked for a pin. Therefore the token can be used without the PIN... It doesn't make sense for me at all now |
|
If the authenticator has a PIN configured, then the PIN is required
for a FIDO2 'make cred' to succeed:
https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential
On authenticators that support U2F, it is possible to create new
non-resident credentials without the FIDO2 PIN. examples/cred uses
U2F if -u is specified.
…-p.
|
|
Sorry, forgot to conclude: your Windows browser is talking FIDO2 to the key, while your Linux browser is talking U2F to the key. |
|
Ok that explains the behaviour. So all in all libifido is working correctly but Edit: Another error on my side, there are two PINs, one is used for personal identity verification (piv) and the other one is used for FIDO2, on which my problem depends. Using Yubicos tools |
|
I just realized that I didn't understand that the PIN and user verification aren't belonging together. Setting uv to |
I'm playing around with my Yubikey 5 and this library and right now im trying the example cred.
If I run the binary without any parameters I get
cred: fido_makecred: FIDO_ERR_PIN_REQUIRED (0x36). After adding-P <pin>it seems to work. My token flashes and after touching the sensor the application ends without any errors. The problem occurs when I add-vto the parameters (to enable user verification). Then I receivecred: fido_makecred: FIDO_ERR_UNSUPPORTED_OPTION (0x2b)no matter if I also add the pin or not.I looked at the code and noticed that calling
fido_cred_set_uvwithFIDO_OPT_FALSEorFIDO_OPT_TRUEalways ends in the unsupported error whileFIDO_OPT_OMITdoes work. WithOMITreplacingTRUEin the user verification part of examples/cred.c I can successfully run./cred -v -P <pin>.The output of
fido-token -Idoesn't showuvas an option but I don't know if it should. Registering online accounts with user verification required does work.What version of libfido2 are you using?
1.4.0
What operating system are you running?
Linux archdesktop 5.7.7-arch1-1 #1 SMP PREEMPT Wed, 01 Jul 2020 14:53:16 +0000 x86_64 GNU/Linux
How does the problem manifest itself?
cred: fido_makecred: FIDO_ERR_UNSUPPORTED_OPTION (0x2b)Is the problem reproducible?
./examples/cred -v
What are the steps that lead to the problem?
Compiling and running the example
credwith-vDoes the problem happen with different authenticators?
I only have a Yubikey 5
Please include the output of
fido2-token -L./dev/hidraw6: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
Please include the output of
fido2-token -I.Output of example cred
The text was updated successfully, but these errors were encountered: