Comments (14)
That's right. Registering the key requires a PIN. Checking the key only requires me to press the button on the key.
from solo-webupdate.
So I figured out that when Windows asks to enter a PIN, you need to press the key in order for it to save it.
It however still seems that updating the key on the website using the regular procedure doesn't work. When choosing the advanced option it is possible to update the key.
from solo-webupdate.
Does the recently merged #20 fix this for you?
from solo-webupdate.
I just tried this out on Firefox. It still specifically asks for a PIN. Then I tried it in Edge, which is completely stock, but it also asks for a PIN, even just to inspect the key.
After entering my PIN, the browser asks me to press the button. After I've done that, there is no possibility yo update the key. The only way is via advanced mode, which is the way I've used every time as of now.
from solo-webupdate.
hm weird. I dont really use FF and edge but never had any problems in opera so far and after that fix I hacked in, I think I never got any pin prompts, and even less presence prompts.
from solo-webupdate.
I personally try to stay away from Chromium based browsers. However, I just installed Opera and these are my findings:
- Going to the update site still requires me to enter a PIN after pressing the "Inspect key" button. Without entering a PIN, I never get the "Update Solo Secure" button. This is the same as with Firefox and Edge.
- After getting the "Update Solo Secure" button, I follow the steps before pressing the button
- When I press it, I get a Windows notification asking me if I'm still there and I should verify that with the key (which at this point is impossible, due to the key being in update mode). This is also the same as Firefox and Edge.
- However, when I cancel out of that prompt, "Flashing Firmware" appears below the "update" button. This never happens with Firefox and Edge.
- Nothing happens at this point, until I press "Update Solo Secure" once again. Now Opera starts updating the key. This is different from Firefox.
So it indeed seems that the update tool doesn't play nice with browsers that are not Chromium based.
from solo-webupdate.
are you runniung windows 10 1903 or later?
if yes that's the reason apparently. I generally stay away from w10 as far as I can so I didnt catch them.
apparently they steal the Fido2 away which totally screws everything. on older w10, win8.1 as well as Kubuntu 18.04 I dont get any pin prompt at all.
can be seen by the fact that the Fido2 request doesnt get processed by a Chrome pup-up but a window called "windows Security"
just for reference, a native firefox prompt should look a bit like this:
otherwise something else is taking your your requests, like in that case w10
from solo-webupdate.
Right, I see! I'm indeed using Windows 10 1903. And I'm always getting the Windows prompt, in every browser:
So the issue here might be Windows instead of the browsers! I guess this might be related to #5 ?
from solo-webupdate.
while I dont really use windows 10 I think it certainly might be plausible that it is related to said issue, so the interesting question would be whether the update on 1903/opera actually does work and not just the "flashing firmware" appearing half randomly, no idea whether downgrading solo is safe or even possible but unless there just happens to be someone with an outdated solo or we get a new fw to play the update scenario on 1903.
but update aside I wonder whether skipping PINs works in any way in 1903 in the first place.
I have a fun little sandbox for webauthn stuff:
https://my1.dev/wa/_test/client.html
can you go here, flip the user verification to discouraged and try to register and login using your key?
this might shed some light on the chaos that is 1903
from solo-webupdate.
Allright, so in Opera I tried this. When pressing the "New registration" button, I also get the "Enter your PIN" prompt:
When I cancel the prompt I receive this error from the website:
The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.
If I enter my pin, I have to touch the key. Then Opera asks me if I want to confirm the action:
After that, registration is complete.
I btw have another Solo Key, which isn't updated yet, so I can help out with that key as well.
from solo-webupdate.
but checking should not require the pin right?
I mean technically windows is doing the right thing as Fido2 spec for some crazy reason says that a registration operation has to require a PIN. (one of the 2 things that make FIDO2 really annoying instead of super awesome)
from solo-webupdate.
Now that's something we might be able to work with.
Question for the solo people. Webauthn has extensions, does fido2 as well? And most notably, are custom extensions possible and if yes, how are browsers and other clients supposed to work with the requests from the rp and the responses from the authenticator? Just pass through?
If yes this would allow for some ways to work with this by masking everything instead of register into authenticate requests, which at the very least can pass the inspection. Updating may be chaotic though with windows passing in.
@w0ndersp00n does one of your solos perhaps not have a pin set? If yes that might be an interesting target for some more plays as the register - > force pin flow only exists for devices that currently have a pin set, so no pin = no problems.
from solo-webupdate.
To bad I've set a PIN already for both, since there was no other way for me to update the keys. I don't know if it is possible to remove the PIN afterwards?
from solo-webupdate.
only reset. which wipes both the Resident keys and the Master Secret for the normal credentials, obviously sux but kinda makes sense
from solo-webupdate.
Related Issues (18)
- Update newsletter HOT 4
- Something went wrong, device is not in bootloader mode HOT 5
- Ubuntu doesn't work HOT 4
- Update is not working with Chrome and Windows 10 19H1 (18358.1) HOT 6
- Consider implementing actual update via WebUSB
- Solokey stuck in bootloader after attempting to update HOT 7
- Broken link in readme HOT 1
- Release notes on update page
- Issues on Chrome / New Edge Dev HOT 14
- Latest release 2.4.3 not available HOT 3
- Webupdate: SITE FIRMWARE OUT OF DATE! HOT 2
- Inspect key brings up multiple pin prompts HOT 2
- Vue is in development mode HOT 3
- Do not use _blank HOT 1
- Vivaldi may need an epilepsy (or similar) warning HOT 2
- Add deprecation msg and link to solo-desktop
- Site firmware out of date HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from solo-webupdate.