SECURITY - Frustrating and Dangerous Click Through to Wrong Passkey Device

[mirage335]

Prerequisites

• [X] Write a descriptive title.
• [X] Make sure you are able to repro it on the latest version
• [X] Search the existing issues.

Steps to reproduce

Gaah! This is REALLY infuriating !!! Why does a MSW update have to triple the inconvenience of using 2FA when we need it? And yes WE DO NEED TO 2FA every login to a server, and every Git commit!

Please get the SSH key associated with the hardware security key. No I am not going to consider something other than redundant hardware security keys for something like this, I've had malware hacks leap from mobile to desktop hosts myself. Nor should anyone be forced away from hardware security keys.

Use FIDO SSH key . Login to remote system with SSH (ie. 'ssh git@github.com') .

"iPhone, iPad, or Android device"

Expected behavior

#~/.ssh/id_ed25519_sk
#~/.ssh/id_ed25519_sk.pub
ssh git@github.com

"Security key"

Actual behavior

#~/.ssh/id_ed25519_sk
#~/.ssh/id_ed25519_sk.pub
ssh git@github.com

"iPhone, iPad, or Android device"

Error details

No response

Environment data

#~/.ssh/id_ed25519_sk
#~/.ssh/id_ed25519_sk.pub

Version

OpenSSH-Win64-v9.2.2.0.msi (MSW) ; OpenSSH_9.4p1, OpenSSL 1.1.1w 11 Sep 2023 (cygwin)

Visuals

[mirage335]

Also there is a report about this on StackExchange, which is where I obtained the visual image.

https://superuser.com/questions/1808301/set-default-security-key-settings-windows-11

[mirage335]

Also a security hazard, because it seems the key is not always 'grabbed' sufficiently to prevent, instead of FIDO, spewing the YubiKey OTP , maybe into a terminal, maybe into a random website, which is definitely, definitely, not good.

[vthiebaut10]

@mirage335 - This behavior is external to the Win32-OpenSSH project. I recommend you reach out to the e-mail listed in the webauthn public repo https://github.com/microsoft/webauthn (fido-dev@microsoft.com)

[mirage335]

So I guess Win32-OpenSSH does not need to make use of a different API, but webauthn needs to correctly recognize the API call? I would think there would be some way to identify which FIDO key Win32-OpenSSH is looking for, and webauthn would default to the device previously used with that FIDO key if available.

[pakud]

@mirage335 if you've found any workaround in the meanwhile please do share it. thx!

[mirage335]

Nope, I wish I had!

My best guess for a workaround would be an AutoHotKey script. But that could get very interesting, and I'm not sure about the reliability of something like that in this context.

FIDO2 keys should be uniquely identifiable, so it seems like either MS has broken the protocol, or OpenSSH doesn't use the new API anymore.

EDIT: I wonder if this is on purpose. Transaction YubiKey authentication may be the only alternative strong enough against malware to compete against MS Windows Enterprise security/monitoring features.

[pakud]

on https://answers.microsoft.com/en-us/windows/forum/all/disable-iphone-ipad-or-android-device-option-for/3c83b399-8dfd-4d5a-9945-0a14acd58e10?page=3 i've found a workaround posted by iEzJay. it does work for me as well.

go to device manager on windows, disable Bluetooth adapter. the annoying dialog is gone, random delay introduced by it - gone as well.

definitively it's not a proper solution, it's rather a nasty workaround but it does the job... until i need to use bluetooth.