User presence

[StarGate01]

How is user presence handled?

I suggest to implement user presence, as this improves security and compatibility a lot. Since the card is NFC, I suggest to allow one user interaction per power cycle, and use that "NFC tap" as a user presence indicator.

See also the specification (https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#sctn-terminology) at §5:

For authenticators without a method to collect a user gesture inside the authenticator boundary other than through a power on gesture, the act of a user placing an NFC authenticator into the NFC reader’s field is considered a user gesture that establishes user presence and provides evidence of user interaction.

For CI testing, this behavior should be able to be turned off (i.e. "user is always present") via an install parameter option.

[BryanJacobs]

I don't think implementing a one-use-per-tap would "improve security ... a lot". And it would hurt compatibility as things stand.

My preference is to continue with the current implementation logic: a single PIN/UV token may be used a single time, but the user presence check is assumed. We aren't capable of complying with the standard here because there is no presence timer, and as you are aware anything malicious can power down the reader to bypass a "tap" requirement. Powering it back up makes the authenticator re-enter the field without the user "tapping" anything.

I'm open to contrary opinions - ideally you'd explain the threat model you see as important, and that would help me understand why limiting the non-user-verified actions would be a good idea.

[BryanJacobs]

I'm up for revisiting this if we discover an application in the wild for which the current behavior causes problems. It looks to me like things are working okay as is :-).

I'm going to close this issue since my current mindset is that it's not-a-bug.