top | item 18133530

(no title)

agl | 7 years ago

> Is there anything in the standard about proving to the server that you have a genuine FIDO device

Yes. When registering a credential you can request[1] attestation information. Generally this will come in the form of an X.509 certificate[2] per batch of 100,000 devices which is signed by the manufacturer and which signs the generated key.

FIDO is planning on running a central registry[3] of devices which should include their certifications and manufacturer public keys etc.

For more details, see [4].

> My understanding of FIDO (v1) is that the only function a device has to offer is authentication through digital signature.

That's correct: CTAP1 just signs things. You can prove to a remote service that the credential is in live use right now because it signs over a server-provided nonce to show freshness, but that's all.

With CTAP2, devices can store keys themselves and they can provide a random oracle (i.e. HMAC) for unlocking locally encrypted data[5]. FIDO2 devices can also require a PIN to be provided before keys are released. (Or have a local fingerprint reader, although I don't know of any such devices yet.)

[1] https://www.w3.org/TR/webauthn/#attestation-convey [2] https://www.w3.org/TR/webauthn/#fido-u2f-attestation [3] https://fidoalliance.org/mds/ [4] https://www.imperialviolet.org/2018/03/27/webauthn.html#atte... [5] https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-cl...

discuss

red_admiral|7 years ago

First of all, thank you for the high quality response!

A FIDO2 device with fingerprint reader was supposedly launched at RSA 2018 [1][2].

[1] https://mobileidworld.com/fido2-compliant-usb-key-fingerprin...

[2] https://www.slideshare.net/FIDOAlliance/fido-kwg-tech-semina...

ecesena|7 years ago

I think it's this one: http://www.e-wbm.com/fido_usb.jsp

But I couldn't find where to buy it.