Comments (8)
ashleysommer
commented on June 12, 2024
So it seems like there are two issues here, that are potentially solvable in python-fido2.
- Not all devices that advertise
uv=Truenecessarily supportclientPin. There should be an additional call toClientPin.is_supported()guarding this line . - When "hmac-secret" extension is advertised, but "clientPin" is not, enter a fallback mode where the client can attempt to create a minimal
ClientPininstance without throwing the "Not Supported" exception, just for the purposes ofhmac-secret(it needs the connection's shared secret).
from python-fido2.
andrewkozlik
commented on June 12, 2024
I agree with @ashleysommer's assessment. The assumption that uv==True in the authenticatorGetInfo response implies clientPin==True seems incorrect. uv refers to built-in user verification and clientPin refers to the capability of accepting a PIN from the client platform, e.g. from the browser. In my opinion these two are completely independent. For example the CTAP spec explicitly states that "ClientPIN is not considered a built-in user verification method".
The Trezor T supports PIN entry directly on the device's touch screen, which is superior in terms of security to ClientPin, because the PIN cannot be intercepted by a keylogger or other potential malware on the user's machine. Supporting ClientPin on Trezor would reduce the security of the device, because it would encourage users to enter their PIN on their machine rather than on Trezor's built-in touchscreen.
from python-fido2.
ashleysommer
commented on June 12, 2024
I created two pull requests (#190 and #191) with fixes for these two issues.
from python-fido2.
dainnilsson
commented on June 12, 2024
Just to give a quick response to this: At first glance this looks fine, as do the two PRs. I will need to scrutinize the spec a bit before merging and unfortunately I don't have time to do that right now. Apologies for the delay!
from python-fido2.
dainnilsson
commented on June 12, 2024
I have an alternative proposal for changes that I believe should address this, and would love some feedback on it: #193.
As I don't have a Trezor T I haven't been able to test this myself, but looking at the proposed other PRs I believe these changes should address both issues. One difference is that in my PR the get_uv_token method is preferred instead of internal UV if supported and additional permissions are required. I'm assuming that this is supported by the Trezor, but I am not sure. If not then this may need additional changes.
from python-fido2.
andrewkozlik
commented on June 12, 2024
"UV token" sounds like something from CTAP 2.1. Trezor currently supports only CTAP 2.0.
from python-fido2.
dainnilsson
commented on June 12, 2024
"UV token" sounds like something from CTAP 2.1. Trezor currently supports only CTAP 2.0.
I believe that should still be fine, the code should fall back to pinAuth with internal_uv.
from python-fido2.
dainnilsson
commented on June 12, 2024
Version 1.1.2 is now released and should hopefully resolve this.
from python-fido2.
Related Issues (20)
- Incorrect handling of 'preferred' user verification. HOT 3
- To determine if security key is set with pin or not HOT 1
- How to save credentials on server HOT 2
- Encoding of create_options HOT 1
- Does this work with Touch ID on a Mac HOT 2
- Missing NetBSD HID support
- Internal fido2.hid API is racy
- Cache of HIDs which failed to open is not thread-safe
- <class 'OverflowError'>exception during authentication HOT 5
- WinError 2 exception while checking for security key HOT 3
- > Create gh pr checkout 76 #228
- Please support `cryptography` version `>=40` HOT 1
- Test fails on RHEL9 due to sha1 removal HOT 6
- secret retrieval part of `hmac_secret.py` example doesn't work with GoTrust Idem webauthn key
- multiple device selection errors out with `PIN_NOT_SET` HOT 1
- `WinAPI` does not implement extensions HOT 3
- Login with fingerprint HOT 6
- Token2 throws PIN_AUTH_INVALID when PIN Auth Protocol V2 and hmac-secret are used HOT 5
- How to mimic `navigator.credentials.get` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-fido2.