Will it have Challenge-Response for Apps like LUKS or KeePassXC?

[JannF]

Will the Solo V2 have Challenge-Response authentication for use cases like a second factor for KeePassXC or LUKS?

[nickray]

We still think the way to do this is to use the hmac-secret extension that is part of the actual standard (it is in essence HMAC-SHA256 challenge-response). In that sense, the answer is, yes, at launch (and Solo V1 has it too, just like every fully certified FIDO2 dongle).

If the question is whether we will implement Yubico's proprietary app (in essence, HMAC-SHA1 challenge-response), the answer is no, we do not plan to do so. This sentiment is shared by other vendors such as Trezor - if OSS such as KeePassXC and LUKS moves on to an actual standard instead of one company's private sauce, everyone wins.

For LUKS, I know of https://github.com/shimunn/fido2luks, for password managers (also Bitwarden), I think there are better ways to use a key as second or primary factor to unlock than either of these challenge-reponse approaches. (Since I personally use Bitwarden, if upstream does not implement something, I know I will try once the dust settles).

[tmthrgd]

the quote from the spec is on makecredential, not getassertion. @tmthrgd

interesting tho that the yubikey axes it anyway.

what tool did you use?

You're absolutely right, I misread. Looking at it a bit more closely, user presence can be disabled normally for authenticatorGetAssertion, but cannot be disabled when using the hmac-secret extension as would be required for your usecase. The first step in the processing options for hmac-secret extension is:

"If "up" is set to false, authenticator returns CTAP2_ERR_UNSUPPORTED_OPTION."

The YubiKey is returning a non-standard error code, which made searching harder, but is otherwise following the spec here.

As for what tool, it's a not-yet-open-source password manager I'm working on. The FIDO2 support is entirely custom built directly atop /dev/hidraw or similar interfaces.

[My1]

okay damn that already removes the fun idea I had with getting PCs and/or servers with FIDO sticks and LUKS with FIDO remote-bootable...

[My1]

altho considering there are vendor commands, can there also be vendor extensions?

[nickray]

There can be, but of little use if clients (mostly browsers) don't relay them. Clients are supposed to relay unknown extensions, but in practice they don't.

[My1]

There can be, but of little use if clients (mostly browsers) don't relay them. Clients are supposed to relay unknown extensions, but in practice they don't.

even authenticator extensions? I mean client extensions sure but authenticator extensions should be passed through with no processing at all imo.