Update requires PIN? about solo-webupdate HOT 14 OPEN

That's right. Registering the key requires a PIN. Checking the key only requires me to press the button on the key.

from solo-webupdate.

So I figured out that when Windows asks to enter a PIN, you need to press the key in order for it to save it.

It however still seems that updating the key on the website using the regular procedure doesn't work. When choosing the advanced option it is possible to update the key.

from solo-webupdate.

Does the recently merged #20 fix this for you?

from solo-webupdate.

I just tried this out on Firefox. It still specifically asks for a PIN. Then I tried it in Edge, which is completely stock, but it also asks for a PIN, even just to inspect the key.

After entering my PIN, the browser asks me to press the button. After I've done that, there is no possibility yo update the key. The only way is via advanced mode, which is the way I've used every time as of now.

from solo-webupdate.

hm weird. I dont really use FF and edge but never had any problems in opera so far and after that fix I hacked in, I think I never got any pin prompts, and even less presence prompts.

from solo-webupdate.

I personally try to stay away from Chromium based browsers. However, I just installed Opera and these are my findings:

• Going to the update site still requires me to enter a PIN after pressing the "Inspect key" button. Without entering a PIN, I never get the "Update Solo Secure" button. This is the same as with Firefox and Edge.
• After getting the "Update Solo Secure" button, I follow the steps before pressing the button
• When I press it, I get a Windows notification asking me if I'm still there and I should verify that with the key (which at this point is impossible, due to the key being in update mode). This is also the same as Firefox and Edge.
• However, when I cancel out of that prompt, "Flashing Firmware" appears below the "update" button. This never happens with Firefox and Edge.
• Nothing happens at this point, until I press "Update Solo Secure" once again. Now Opera starts updating the key. This is different from Firefox.

So it indeed seems that the update tool doesn't play nice with browsers that are not Chromium based.

from solo-webupdate.

are you runniung windows 10 1903 or later?
if yes that's the reason apparently. I generally stay away from w10 as far as I can so I didnt catch them.

apparently they steal the Fido2 away which totally screws everything. on older w10, win8.1 as well as Kubuntu 18.04 I dont get any pin prompt at all.

can be seen by the fact that the Fido2 request doesnt get processed by a Chrome pup-up but a window called "windows Security"

just for reference, a native firefox prompt should look a bit like this:

and this is chrome

otherwise something else is taking your your requests, like in that case w10

from solo-webupdate.

Right, I see! I'm indeed using Windows 10 1903. And I'm always getting the Windows prompt, in every browser:

So the issue here might be Windows instead of the browsers! I guess this might be related to #5 ?

from solo-webupdate.

while I dont really use windows 10 I think it certainly might be plausible that it is related to said issue, so the interesting question would be whether the update on 1903/opera actually does work and not just the "flashing firmware" appearing half randomly, no idea whether downgrading solo is safe or even possible but unless there just happens to be someone with an outdated solo or we get a new fw to play the update scenario on 1903.

but update aside I wonder whether skipping PINs works in any way in 1903 in the first place.
I have a fun little sandbox for webauthn stuff:
https://my1.dev/wa/_test/client.html
can you go here, flip the user verification to discouraged and try to register and login using your key?
this might shed some light on the chaos that is 1903

from solo-webupdate.

Allright, so in Opera I tried this. When pressing the "New registration" button, I also get the "Enter your PIN" prompt:

When I cancel the prompt I receive this error from the website:

The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.

If I enter my pin, I have to touch the key. Then Opera asks me if I want to confirm the action:

After that, registration is complete.

I btw have another Solo Key, which isn't updated yet, so I can help out with that key as well.

from solo-webupdate.

but checking should not require the pin right?

I mean technically windows is doing the right thing as Fido2 spec for some crazy reason says that a registration operation has to require a PIN. (one of the 2 things that make FIDO2 really annoying instead of super awesome)

from solo-webupdate.

Now that's something we might be able to work with.

Question for the solo people. Webauthn has extensions, does fido2 as well? And most notably, are custom extensions possible and if yes, how are browsers and other clients supposed to work with the requests from the rp and the responses from the authenticator? Just pass through?

If yes this would allow for some ways to work with this by masking everything instead of register into authenticate requests, which at the very least can pass the inspection. Updating may be chaotic though with windows passing in.

@w0ndersp00n does one of your solos perhaps not have a pin set? If yes that might be an interesting target for some more plays as the register - > force pin flow only exists for devices that currently have a pin set, so no pin = no problems.

from solo-webupdate.

To bad I've set a PIN already for both, since there was no other way for me to update the keys. I don't know if it is possible to remove the PIN afterwards?

from solo-webupdate.

only reset. which wipes both the Resident keys and the Master Secret for the normal credentials, obviously sux but kinda makes sense

from solo-webupdate.