-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIDO makeCredential withot PIN #115
Comments
Hi, thanks for your interest in yubikit-android and for the question. I will do some investigations here and reply ASAP. |
Hi @kysosk, please find my answers in this comment.
There are several conditions for using PIN verification in FIDO, which I will summarize here, refer to CTAP2.0 and CTAP2.1 specifications for details, please.
yubikit-android 2.4.0 has an issue, where the first option (not using PIN on authenticator which does not have PIN set) is not available. I have fixed this in a branch, and added tests which can be run against authenticators and demonstrate makeCredential/getAssertion with no pin and discouraged user verification. Creating credentials without providing a PIN (passing null to makeCredential/getAssertion) on a device which has PIN set is not supported by CTAP2 and not supported by yubikit-android.
The yubikit-android SDK can communicate over NFC and USB transports. As per the CTAP specification, NFC uses the SmartCard protocol and USB uses the HID FIDO protocol. Currently the SDK can work with any NFC FIDO2 key, but only Yubico USB keys - the reason is that the SDK filters the USB device by the USB vendor. It should be possible to make the SDK work with any USB HID FIDO2 device, if there is interest, I have already experimented with that. You can use the SDK’s testing framework to get information about what is going on, including FIDO errors. The tests work with NFC and USB keys so you can see the differences. Every connection will provide CTAP2 information which is great start to understand what are the authenticator's capabilities:
Let me know if you have more questions, I will be happy to answer. |
Thank you for the response. Regarding the Idem Key from GoTrust: |
Good info, thanks! We will merge the branch after internal review and it will be part of next release. Regarding the support for other vendors, I will bring that up with our team/project leadership.
There is a recommendation for the timeout values in the WebAuthn specification, based on the value of options.authenticatorSelection.userVerification (see here, point 4). 9000 seems too low. Related to the key you bricked, could you share more details how that happened, please? Was it over USB or NFC? Did it happen after calling makeCredential from the sdk? |
I was testing Idem Key on Android over NFC only. I did not get to USB but that is planned too. The code that worked: private fun makeCredentials(session: Ctap2Session) : PublicKeyCredential {
var challenge = "myPwd".toByteArray()
var rpId = "example.com"
var userName = "[email protected]"
var clientData = ClientData(
"webauthn.create",
"https://"+ rpId,
Base64.getEncoder().encodeToString(challenge),
"TestPackage"
)
val json = Gson().toJson(clientData)
var rp = PublicKeyCredentialRpEntity("Example Company", rpId)
var user = PublicKeyCredentialUserEntity(userName, userName.toByteArray(), "John Doe")
var criteria = AuthenticatorSelectionCriteria(
null,
ResidentKeyRequirement.DISCOURAGED,
UserVerificationRequirement.DISCOURAGED
)
var credentialParameter = PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, -7)
var credParams = listOf<PublicKeyCredentialParameters>(credentialParameter)
var credOptions = PublicKeyCredentialCreationOptions(
rp,
user,
challenge,
credParams,
19000L,
null,
criteria,
null,
null
)
val pin = "11111111".toCharArray()
//val pin = null
val client = BasicWebAuthnClient(session)
return client.makeCredential(
json.toByteArray(),
credOptions,
"example.com",
pin,
null,
null
)
} |
I have just merged #116 which fixes handling of discouraged user verification. |
Hello,
We are using Yubikit SDK for Android (and planning to use for iOS). I have a question about using FIDO modul without PIN being used.
We have sample application working with Yubi Key based on samples.
Everything works fine as long as we have FIDO2 PIN set and use it. Without PIN being set the credentials are not created. Is this by design or there needs to be something set up?
PublicKeyCredentialCreationOptions.AuthenticatorSelectionCriteria.userVerification
is set toUserVerificationRequirement.DISCOURAGED
Here you state:
Method
com.yubico.yubikit.fido.client.makeCredential
has PIN attribute as nullable@Nullable char[] pin
So to me it is confusing whether it should work without PIN in the SDK or not (quoted text is not directly linked to the SDK). And if so, how should we set up parameters for the method?
And my second question is, do you have any knowledge that your SDK works (even with some changes) with Idem Keys from GoTrust? I am aware that we are talking about different products and is not your responsibility to make it work with other products.
The text was updated successfully, but these errors were encountered: