u2f | Go packages that provide communication | Binary Executable Format library
kandi X-RAY | u2f Summary
kandi X-RAY | u2f Summary
This is a set of Go packages that implement communication with FIDO U2F tokens over USB. See the documentation and example directories in each package for usage information.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Authenticate sends a request to the token .
- Check if a device is alive
- encodeAuthenticateRequest encodes an AuthenticateRequest .
- Open returns a new device .
- Devices returns a slice of the device information .
- NewToken returns a token .
u2f Key Features
u2f Examples and Code Snippets
Community Discussions
Trending Discussions on u2f
QUESTION
I have a CakePHP application running on Cake PHP 3.8.13, CakeDC Users 8.5.1 and PHP 7.4. I am attempting to use a custom controller so that I can adjust the behaviour of the LoginTrait and PasswordChangeTrait.
I have been following the documentation in https://github.com/CakeDC/users/blob/master/Docs/Documentation/Configuration.md#using-the-users-email-to-login
However my custom UsersController is not being used.
I have added the following lines to /config/bootstrap.php
...ANSWER
Answered 2020-Oct-12 at 07:59It appears that customising the controller does not overwrite the current route it only overwrites based on the custom controller name, i.e. instead of /login it is /myusers/login
QUESTION
I've read in multiple places that since U2F doesn’t have a concept of a user it can be used as one of the factors for login (in MFA) but not ideal for passwordless whereas webauthn has the concept of users which could help with passwordless. My question is what is that extra that webauthn adds to allow this? Yes, we do pass user information when we create the credentials but in the end we're returned a credential id (which seems to be very similar to the keyhandle) and is used to associate the user (on the server). For what i understand, webauthn def has the advantage of working with different authenticators (not just U2F keys) but apart from that what exactly does webauthn add to make passwordless easier.
CTAP describes how the browser and operating system establish communications with a compliant authentication device over USB, NFC or BLE communication mediums. Could we say CTAP is an application layer protocol (like FTP?)
When i use the finger print feature on my android phone to verify using webauthn, is the browser communicating with the OS (which in turn pops up the authenticator) using CTAP2? Where does ufc, nfc, ble, internal come up here?
Here is a diagram for browser support for webauthn. In chrome/android, what does it mean to have stable support for WebAuthnAPI but In development support for CTAP2? Does it mean some authenticators wont be supported?
ANSWER
Answered 2020-Jun-25 at 12:29The spec specifically refers to it as an application layer protocol in the abstract:
The implementation from browser to browser and OS to OS will differ. Windows 10 now offers a native API which sits over the top of Windows Hello and standardises interactions with authenticator devices. Prior to this browsers on Windows had their own implementations and their own UIs. A given CTAP2 implementation would include support for 1 or more of the transports defined in the spec, each having a binding specific to the needs of that transport. The spec is worth a read.
Lack of CTAP2 support in the examples given above would mean that while you could use a backwards compatible FIDO2/CTAP2 compliant device you'd miss out on the added features of FIDO2 - primarily resident keys and thus the ability to have passwordless logins.
ETA: This artical is pretty good and has some nice diagrams: https://hybrismart.com/2019/05/23/authentication-with-hardware-security-keys-via-webauthn-in-sap-commerce-cloud/
QUESTION
I'm currently experiencing issues generating a U2F public/private key-pair in the terminal with the following command:
ssh-keygen -t ecdsa-sk -vv
Running this command provides the following error:
...ANSWER
Answered 2020-Jun-23 at 17:09It appears that the issue causing this problem was an admin password placed on U2F functionality before I ever received the Yubikey from my work. You can't generate a U2F ecdsa-sk public/private keypair with an admin password in place.
QUESTION
I'm on my localhost and when i start the server it shows nothing. When i go to localhost:8080/register it should show "asdasd" (as you can see in the code) but it doesnt work. Can you guys help me out? Thank you very much!
...ANSWER
Answered 2020-May-12 at 14:151) for a start your are logging "asdasd" to the console and not responding to the request made at the "/register" endpoint, just modify your code to the one below.
QUESTION
I'm using my yubikey 5 NFC with U2F as well as for OTP codes. I get OTP codes using Yubico Authenticator app which seems to be a little too complicated and I was wondering if there is a way to assign it to short/long touch on my key so I don't need to open that app every time for codes I use often enough?
It seems that the authenticator uses something else than slots to store credentials, is it possible to read them with ykman or some other official command line utility/sdk?
ANSWER
Answered 2020-Apr-18 at 03:03There are two types of 6-digit OTP codes that are part of OATH: HMAC-based (HOTP), which are generated in a fixed sequence, and time-based (TOTP), which update every 30 seconds or so. TOTP are more commonly used.
The Yubikey can generate HOTP codes on touch, in either slot 1 (short touch) or 2 (long touch). You can set this up with ykman otp hotp 1 or ... 2 as the case may be. It expects the secret key in base 32 format.
This can't be done for TOTP, for the simple reason that in order to generate a time-based code, you have to know what time it is, and the Yubikey doesn't have a real-time clock on board (because it doesn't have any power source to keep it running). So it can't generate TOTP codes without assistance from the software application, which feeds it the current time from the system clock.
If you don't like the graphical authenticator app, you can generate HOTP/TOTP codes from the command line by running ykman oath code.
QUESTION
There are many sources that say FIDO2/CTAP2 is backward compatible with U2F:
...all previously certified FIDO U2F Security Keys and YubiKeys will continue to work as a second-factor authentication login experience with web browsers and online services supporting WebAuthn. - Yubico
But after looking at the specifications, I'm having trouble seeing how that actually works in practice. Specifically, it seems like there is a mismatch between FIDO2's relying party identifier and U2F's application identity.
In U2F, the application identity is a URL, like https://example.com. SHA-256 of the application identity is called the application parameter. The application parameter is what is actually sent to the authenticator during registration and authentication.
In FIDO2, the equivalent seems to be the relying party identifier, which is defined to be a domain name, like example.com.
The relying party identifier and the application identity serve the same purpose in both FIDO2/CTAP2 and U2F. However, CTAP2 authenticators get the relying party identifier directly as an UTF8 string, whereas U2F authenticators only get a SHA-256 hash of the application identity (the application parameter).
The FIDO documentation for CTAP describes how CTAP2 maps onto CTAP1/U2F. In it, they simply treat the relying party identifier directly as the application identity:
Let rpIdHash be a byte array of size 32 initialized with SHA-256 hash of rp.id parameter as CTAP1/U2F application parameter (32 bytes)
This seems inconsistent. Let's say I were example.com, and I adopted U2F second-factor authentication early on. My application id would be https://example.com, so my original U2F application parameter would be SHA256("https://example.com"):
ANSWER
Answered 2020-Mar-12 at 16:07WebAuthn supports backward compatibility with U2F via the AppID Extension documented in the W3C WebAuthn spec. The Relying Party (RP) passes the U2F application identity to the browser via this extension.
QUESTION
I've been investigating the implementation of CTAP2 protocol with Google Chrome (protocol between Fido Authenticator and Fido Client (e.g. Chrome)), which should be supported in Chrome since version 69.
So I dumped the chrome request to the authenticator in two cases:
1. U2F (CTAP1) with yubico demo website.Here everything goes as expected and chrome follows the CTAP1 protocol.
2. FIDO2/Webauthn (CTAP2) with webauthn.orgAnd the browser has a strange behaviour:
- It starts by following the CTAP2 protocol by sending a AuthenticatorGetInfoRequest
- The Authenticator replies with AuthenticatorGetInfoResponse
- But then Chrome switches to the CTAP1 protocol by sending a Registration Request Message (U2F_REGISTER)
Is it a problem with Chrome implementation: CTAP2 is not enabled entirely yet (it seems to be implemented in Chromium sources)?
Or is the problem coming from the authenticator: sending a response that makes Chrome switch to CTAP1?
Or something else entirely?
...ANSWER
Answered 2020-Feb-14 at 20:13In AuthenticatorGetInfoRequest, the authenticator must respond with a string list of the supported versions among "U2F_V2" and "FIDO_2_0". Note also in case of NFC or CCID, a "FIDO_2_0" (CTAP2) only authenticator shall anwser directly "FIDO_2_0" on the SELECT command. I don't know about HID and BLE.
So maybe your authenticator is listing "U2F_V2" in the protocol versions list in AuthenticatorGetInfoRequest.
I also imagine the Chrome code base about this was moving fast and can be partial or not strict. To my tests in early 2020, the Chrome CTAP capabilities seem now stable and compliant.
QUESTION
I am working on a chrome extension to modify U2F create request parameters from a web service. Is it possible to replace navigator.credentials.create request or response parameters through a Chrome extension?
I couldn't find resources related to this. Any pointers would be helpful.
In particular, when a user registers a U2F for a website, it calls browsers web API navigator.credentials.create which in turn contacts the hardware token and returns the response. I want to modify the request and response from the navigator.credentials.create API, called by the webpage.
ANSWER
Answered 2020-Feb-12 at 14:08There is no way of achieving what you want through Chrome APIs. Chrome does not offer any kind of API to modify requests or other kind of data "on the fly" like you'd want to do. I can only assume that this is most likely a security measure.
However, since you say that you want to modify the data that is passed and returned by navigaror.credentials.create() on some particular website, you can easily do this with a content script that replaces the function with a custom handler and acts as a proxy, intercepting all calls and potentially modifying data.
Whether this makes any sense or not depends on what specifically you want to do when intercepting these calls. It's important to mention that as @gcochard makes us notice in a comment:
The whole point of U2F/WebAuthN is to make a cryptographically secure challenge/response scheme for strong authentication over the web. Inserting a proxy and changing the request and response will break that cryptographic challenge/response in any context where you're not a MITM, leaving your users dependent upon your extension to authenticate. It might help to explain what you're trying to do with this data.
Either way, you could still log and access the data, so there could be meaningful applications of this strategy.
I will only outline what the content script should do, if you also don't know how to inject a content script in a page, refer to this documentation page. In any case, you want your script to run as soon as possible, so make sure to have "run_at": "document_start".
The content script will do the following:
- Create a
QUESTION
I've recently started looking at U2F in Node.js and Javascript.
I get the error: TypeError: Cannot read property 'registerResponse' of undefined
Before receiving the error on the server i get the following returned:
...ANSWER
Answered 2019-Aug-12 at 14:38You are using var routes = require("./routes")(app); before BodyParser. Middlewares work in the order they are initialised. So, In your case body-parser in not even used in the routes.
Put the routes after bodyParser and cors:
QUESTION
I am building an Android authenticator for FIDO2. I got stuck with read/write characteristics. I am working on Mac - Chrome 75. Chrome can detect my Android BLE authenticator. After detecting my BLE Authenticator, onCharacteristicReadRequest() is called from authenticator side. Inside the onCharacteristicReadRequest() I am using the code written below but there is no response from client after that.
I have tried U2F with version 0b01000000. It's working fine. When I moved FIDO2 version 0b100000, I am facing this issue. I am advertising fido service and device info service from authenticator. Both services has been added with Thread.sleep(1000) interval. I couldn't add both services sequentially. When I add both services sequentially, I am getting ArrayIndexOutofBoundException.
I don't know if both issues are interlinked. Please correct me if I am doing anything wrong.
...ANSWER
Answered 2019-Jun-11 at 16:52I couldn't add both services sequentially
I think you could add the device info service like the following:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install u2f
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
