u2f | U2F Authentication for Node.js | Runtime Evironment library

 by   ashtuchkin JavaScript Version: 0.1.3 License: No License

kandi X-RAY | u2f Summary

kandi X-RAY | u2f Summary

u2f is a JavaScript library typically used in Server, Runtime Evironment, Nodejs, Express.js applications. u2f has no bugs, it has no vulnerabilities and it has low support. You can install using 'npm i u2f' or download it from GitHub, npm.

U2F Authentication for Node.js
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              u2f has a low active ecosystem.
              It has 391 star(s) with 51 fork(s). There are 29 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 2 open issues and 6 have been closed. On average issues are closed in 1 days. There are 2 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of u2f is 0.1.3

            kandi-Quality Quality

              u2f has 0 bugs and 0 code smells.

            kandi-Security Security

              u2f has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              u2f code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              u2f does not have a standard license declared.
              Check the repository for any license declaration and review the terms closely.
              OutlinedDot
              Without a license, all rights are reserved, and you cannot use the library in your applications.

            kandi-Reuse Reuse

              u2f releases are not available. You will need to build from source code and install.
              Deployable package is available in npm.
              Installation instructions are not available. Examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi has reviewed u2f and discovered the below as its top functions. This is intended to give you an instant insight into u2f implemented functionality, and help decide if they suit your requirements.
            • Check registration token for registration
            • Verify signature verification response
            • Convert a raw PEM encoded XML to PEM .
            • Convert a sequence of a sequence .
            • Creates an U2 U2 request .
            • Verifies that the given ECDSA signature is valid .
            • Hash data .
            • Convert a Buffer to Base64 string .
            Get all kandi verified functions for this library.

            u2f Key Features

            No Key Features are available at this moment for u2f.

            u2f Examples and Code Snippets

            U2F-Client: Access U2F/USB keys directly, without browser,Usage
            JavaScriptdot img1Lines of Code : 27dot img1no licencesLicense : No License
            copy iconCopy
            var u2fc = require('u2f-client');
            
            // High-level API 
            // registerRequest and signRequest, as well as returned values are specified in U2F documentation
            u2fc.register(registerRequest, cb)   // Register U2F device, requires user presence
            u2fc.sign(sign  
            Usage
            JavaScriptdot img2Lines of Code : 1dot img2License : Permissive (MIT)
            copy iconCopy
            var u2f = require('node-u2flib-server');  

            Community Discussions

            QUESTION

            Having difficulty to get SSH with a Yubikey working with macOS monterey
            Asked 2022-Feb-06 at 01:52

            I'm following the FIDO U2F instructions on https://developers.yubico.com/SSH/ on macOS Monterey with openSSH 8.6 and run into the following issue:

            ...

            ANSWER

            Answered 2022-Feb-06 at 01:52

            Use Homebrew's OpenSSH

            Source https://stackoverflow.com/questions/68573454

            QUESTION

            Wrapped private key with libfido2?
            Asked 2022-Jan-23 at 18:00

            I am currently working my way into libfido2 and trying to figure out how to use wrapped private keys with it.

            Yubico says in the FAQs that with YubiKey 5 unlimited key pairs can be used for FIDO U2F; however, for FIDO2 only space for 25 resident keys is promised.

            1. Does "FIDO2" mean that resident keys are used and that FIDO2 cannot be used with (external) wrapped private keys?

            2. If this is the case, does libfido2 offer any possibility to work with FIDO U2F and wrapped keys instead?

            3. If so, how does libfido2 need to be configured to do this? How can I provide the library with the appropriate protected private key. At least in "fido2-assert" I don't see a way to do this when I want to create an assertion on the client.

            (The function accepts four specific parameters description here, and the only one that I understand could bring the private key is the "credential id". But the name makes me doubt if my request is possible with this parameter).

            I am grateful for any answer!

            EDIT: In the meantime I found this link to some Solo Keys developer pages describing how it works on Solo Keys. It seems the private key is calculated on the fly - in this case credential id would work as seed for the calculation)

            ...

            ANSWER

            Answered 2022-Jan-23 at 18:00

            FIDO2 encompasses both WebAuthn (browser API) and CTAP2 (USB/Bluetooth/NFC APIs for externally connected authenticators). CTAP2 supports both client-side and server-side credentials, and specifies how backwards compatibility with U2F/CTAP1 authenticators works. Since you're working with libfido2, the CTAP documentation might be useful to understand what it does under the hood.

            Client-side discoverable credentials (previously known as resident keys) are used for usernameless flows where no Credential IDs are specified during authentication. These keys are generated randomly and require storage space. Server-side credentials (non-resident keys) are represented as Credential IDs. What type of key is created is requested during the registration process but both FIDO2 standards default to server-side credentials if not specified. U2F only supported server-side credentials.

            For external authenticators with limited storage space, server-side credentials are typically wrapped private keys encrypted by a single 'master' key stored in the authenticator. Since the entire state is stored outside of the authenticator this allows for practically infinite keys to be generated even with limited storage space. But it does mean that the Credential ID generated during registration must be stored on the server, and in order to generate an assertion it must be offered back to the authenticator later for authentication. In WebAuthn these Credential ID(s) are typically presented after the user is identified (e.g. via username and password) in the allowCredentials argument, CTAP2 calls this allowList.

            With the terminology now (hopefully) clarified, yes libfido2 supports both types of credentials according to the assert example:

            Asks for a FIDO2 assertion corresponding to [cred_id], which may be omitted for resident keys. The obtained assertion is verified using .

            Source https://stackoverflow.com/questions/70823001

            QUESTION

            Unable to use AppId extension with WebAuthn for previously registered U2F keys
            Asked 2021-Nov-19 at 14:22

            With the eminent demise of the u2f api, I'm trying to move to WebAuthn APIs using the AppId extension to support security keys previously registered with U2F. As best I can tell from reading the docs I think I am doing it correctly, however, when attempting to authenticate I am prompted by my browser to tap my key, and my key is blinking, but upon tapping it I get the error "You're using a security key that's not registered with this website". In comparing the existing u2f authentication request I'm using the same appid and key handle.

            Example U2F sign request:

            ...

            ANSWER

            Answered 2021-Nov-16 at 17:53

            Everything about the options you pass to navigator.credentials.get() looks correct, including how you're specifying the "appid" extension. I believe the issue is that you're double-encoding your U2F credential's credential ID. Try passing the original "keyHandle" in the options instead (you can use it as-is because it's already compatible with base64url encoding):

            Source https://stackoverflow.com/questions/69993268

            QUESTION

            Difference between key handle and credential id
            Asked 2021-Sep-22 at 01:37

            What is the difference between a key handle and a credential id for WebAuthN?

            I see mention of the two here in the spec which states that allowCredentials MAY contain a mixture of both WebAuthn credential IDs and U2F key handles but I don't fully understand the difference.

            ...

            ANSWER

            Answered 2021-Sep-22 at 01:37

            So there is a practical short answer and deep technical long answer.

            So short answer: CredentialID in U2F is called keyHandle. So CredID == KeyHandle.

            Long answer:

            The CredID identifies a unique private/public keypair in the authenticator.

            The question is: How do you store tens and hundreds of keypairs while having very constraint and limited secure cryptographic storage? Well, you do not. During registration, the device generates the private/public keypair using some seed. It then adds some additional informations, like RPID hash, and then wraps(encrypts) this data with the device secret, that is randomly generated on each reset.

            The wrapped(encrypted) keypair is called KeyHandle. For the devices that have basically unlimited memory, like your phone, you most likely just create a randomly generated credential identifier, which called KeyID.

            So. CredID is a standardised name for the unique credential identifier. It can be either a KeyHandle(wrapped user's privated key) or KeyID(randomly generated credid).

            Should you care about it? No. I just have nothing else to do at 4am cause I have insomnia.

            Source https://stackoverflow.com/questions/69276091

            QUESTION

            CakeDC Users appears to be unable to load custom Controller
            Asked 2020-Oct-12 at 07:59

            I have a CakePHP application running on Cake PHP 3.8.13, CakeDC Users 8.5.1 and PHP 7.4. I am attempting to use a custom controller so that I can adjust the behaviour of the LoginTrait and PasswordChangeTrait.

            I have been following the documentation in https://github.com/CakeDC/users/blob/master/Docs/Documentation/Configuration.md#using-the-users-email-to-login

            However my custom UsersController is not being used.

            I have added the following lines to /config/bootstrap.php

            ...

            ANSWER

            Answered 2020-Oct-12 at 07:59

            It appears that customising the controller does not overwrite the current route it only overwrites based on the custom controller name, i.e. instead of /login it is /myusers/login

            Source https://stackoverflow.com/questions/64259150

            QUESTION

            Few open questions around FIDO2 webauthn and U2F
            Asked 2020-Jun-25 at 12:29
            • I've read in multiple places that since U2F doesn’t have a concept of a user it can be used as one of the factors for login (in MFA) but not ideal for passwordless whereas webauthn has the concept of users which could help with passwordless. My question is what is that extra that webauthn adds to allow this? Yes, we do pass user information when we create the credentials but in the end we're returned a credential id (which seems to be very similar to the keyhandle) and is used to associate the user (on the server). For what i understand, webauthn def has the advantage of working with different authenticators (not just U2F keys) but apart from that what exactly does webauthn add to make passwordless easier.

            • CTAP describes how the browser and operating system establish communications with a compliant authentication device over USB, NFC or BLE communication mediums. Could we say CTAP is an application layer protocol (like FTP?)

            • When i use the finger print feature on my android phone to verify using webauthn, is the browser communicating with the OS (which in turn pops up the authenticator) using CTAP2? Where does ufc, nfc, ble, internal come up here?

            • Here is a diagram for browser support for webauthn. In chrome/android, what does it mean to have stable support for WebAuthnAPI but In development support for CTAP2? Does it mean some authenticators wont be supported?

            ...

            ANSWER

            Answered 2020-Jun-25 at 12:29

            The spec specifically refers to it as an application layer protocol in the abstract:

            https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html

            The implementation from browser to browser and OS to OS will differ. Windows 10 now offers a native API which sits over the top of Windows Hello and standardises interactions with authenticator devices. Prior to this browsers on Windows had their own implementations and their own UIs. A given CTAP2 implementation would include support for 1 or more of the transports defined in the spec, each having a binding specific to the needs of that transport. The spec is worth a read.

            Lack of CTAP2 support in the examples given above would mean that while you could use a backwards compatible FIDO2/CTAP2 compliant device you'd miss out on the added features of FIDO2 - primarily resident keys and thus the ability to have passwordless logins.

            ETA: This artical is pretty good and has some nice diagrams: https://hybrismart.com/2019/05/23/authentication-with-hardware-security-keys-via-webauthn-in-sap-commerce-cloud/

            Source https://stackoverflow.com/questions/62518504

            QUESTION

            Cannot Generate U2F Public/Private Keypair for ssh : FIDO_ERR_RX
            Asked 2020-Jun-23 at 17:09

            I'm currently experiencing issues generating a U2F public/private key-pair in the terminal with the following command:

            ssh-keygen -t ecdsa-sk -vv

            Running this command provides the following error:

            ...

            ANSWER

            Answered 2020-Jun-23 at 17:09

            It appears that the issue causing this problem was an admin password placed on U2F functionality before I ever received the Yubikey from my work. You can't generate a U2F ecdsa-sk public/private keypair with an admin password in place.

            Source https://stackoverflow.com/questions/62329543

            QUESTION

            Get method nothing shows up
            Asked 2020-May-12 at 14:15

            I'm on my localhost and when i start the server it shows nothing. When i go to localhost:8080/register it should show "asdasd" (as you can see in the code) but it doesnt work. Can you guys help me out? Thank you very much!

            ...

            ANSWER

            Answered 2020-May-12 at 14:15

            1) for a start your are logging "asdasd" to the console and not responding to the request made at the "/register" endpoint, just modify your code to the one below.

            Source https://stackoverflow.com/questions/61753620

            QUESTION

            yubikey 5 NFC enter 6 digit code on touch
            Asked 2020-Apr-18 at 03:03

            I'm using my yubikey 5 NFC with U2F as well as for OTP codes. I get OTP codes using Yubico Authenticator app which seems to be a little too complicated and I was wondering if there is a way to assign it to short/long touch on my key so I don't need to open that app every time for codes I use often enough?

            It seems that the authenticator uses something else than slots to store credentials, is it possible to read them with ykman or some other official command line utility/sdk?

            ...

            ANSWER

            Answered 2020-Apr-18 at 03:03

            There are two types of 6-digit OTP codes that are part of OATH: HMAC-based (HOTP), which are generated in a fixed sequence, and time-based (TOTP), which update every 30 seconds or so. TOTP are more commonly used.

            The Yubikey can generate HOTP codes on touch, in either slot 1 (short touch) or 2 (long touch). You can set this up with ykman otp hotp 1 or ... 2 as the case may be. It expects the secret key in base 32 format.

            This can't be done for TOTP, for the simple reason that in order to generate a time-based code, you have to know what time it is, and the Yubikey doesn't have a real-time clock on board (because it doesn't have any power source to keep it running). So it can't generate TOTP codes without assistance from the software application, which feeds it the current time from the system clock.

            If you don't like the graphical authenticator app, you can generate HOTP/TOTP codes from the command line by running ykman oath code.

            Source https://stackoverflow.com/questions/61283529

            QUESTION

            FIDO2 compatibility with U2F/CTAP1
            Asked 2020-Mar-14 at 19:14

            There are many sources that say FIDO2/CTAP2 is backward compatible with U2F:

            ...all previously certified FIDO U2F Security Keys and YubiKeys will continue to work as a second-factor authentication login experience with web browsers and online services supporting WebAuthn. - Yubico

            But after looking at the specifications, I'm having trouble seeing how that actually works in practice. Specifically, it seems like there is a mismatch between FIDO2's relying party identifier and U2F's application identity.

            In U2F, the application identity is a URL, like https://example.com. SHA-256 of the application identity is called the application parameter. The application parameter is what is actually sent to the authenticator during registration and authentication.

            In FIDO2, the equivalent seems to be the relying party identifier, which is defined to be a domain name, like example.com.

            The relying party identifier and the application identity serve the same purpose in both FIDO2/CTAP2 and U2F. However, CTAP2 authenticators get the relying party identifier directly as an UTF8 string, whereas U2F authenticators only get a SHA-256 hash of the application identity (the application parameter).

            The FIDO documentation for CTAP describes how CTAP2 maps onto CTAP1/U2F. In it, they simply treat the relying party identifier directly as the application identity:

            Let rpIdHash be a byte array of size 32 initialized with SHA-256 hash of rp.id parameter as CTAP1/U2F application parameter (32 bytes)

            This seems inconsistent. Let's say I were example.com, and I adopted U2F second-factor authentication early on. My application id would be https://example.com, so my original U2F application parameter would be SHA256("https://example.com"):

            ...

            ANSWER

            Answered 2020-Mar-12 at 16:07

            WebAuthn supports backward compatibility with U2F via the AppID Extension documented in the W3C WebAuthn spec. The Relying Party (RP) passes the U2F application identity to the browser via this extension.

            Here are a few RP AppID examples in Python and Java.

            Source https://stackoverflow.com/questions/60649029

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install u2f

            You can install using 'npm i u2f' or download it from GitHub, npm.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            Install
          • npm

            npm i u2f

          • CLONE
          • HTTPS

            https://github.com/ashtuchkin/u2f.git

          • CLI

            gh repo clone ashtuchkin/u2f

          • sshUrl

            git@github.com:ashtuchkin/u2f.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link