Closed avzuquete closed 1 year ago
fido_dev_supports_uv()
returns false because the authenticator does not support UV. Note that UP != UV. fido_dev_supports_pin()
returns true because the authenticator supports a pin, although one isn't set. fido_dev_has_pin()
can be used to distinguish between the two cases.
These functions are documented in https://developers.yubico.com/libfido2/Manuals/fido_dev_supports_uv.html. Please let us know if there's anything we can do to improve our documentation. Thank you!
Thank you for your response.
What does UP means? User Presence? Could you elaborate a bit?
So, when the device reports clientPin=false, that means that a PIN is supported but is not set? If the token does not support a PIN the clientPin indication should not even exist?
Thank you.
Regards,
On 07/05/2023 15:22, pedro martelletto wrote:
|fido_dev_supports_uv()| returns false because the authenticator does not support UV. Note that UP != UV. |fido_dev_supports_pin()| returns true because the authenticator supports a pin, although one isn't set. |fido_dev_has_pin()| can be used to distinguish between the two cases.
These functions are documented in https://developers.yubico.com/libfido2/Manuals/fido_dev_supports_uv.html. Please let us know if there's anything we can do to improve our documentation. Thank you!
— Reply to this email directly, view it on GitHub https://github.com/Yubico/libfido2/issues/695#issuecomment-1537453982, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGADOYZNWS7BJIV5J6WXUPDXE6V2FANCNFSM6AAAAAAXYZZMRY. You are receiving this because you authored the thread.Message ID: @.***>
-- Prof. André Ventura Zúquete
DETI / IEETA, Univ. of Aveiro
e-mail: @.***
Campus Univ. de Santiago, 3810-193 Aveiro
Phone: +351 234 370504
Portugal
URL: http://wiki.ieeta.pt/wiki/index.php/Andr%C3%A9_Z%C3%BAquete Zoom: https://videoconf-colibri.zoom.us/my/andre.zuquete
Thank you for your response. What does UP means? User Presence? Could you elaborate a bit?
In FIDO2, User Presence (UP) indicates that someone has interacted with the authenticator to authorise an operation, typically through touch. On the other hand, User Verification (UV) signifies that, to a reasonable degree of confidence, the person who authorised an operation was the same individual who previously enrolled a secret, such as a fingerprint or a PIN, on the device.
While a PIN can be used to achieve UV, the two terms are separate concepts in FIDO2, with UV being reserved for methods of user verification that are entirely built-in to the authenticator, such as facial recognition or fingerprint matching. In this sense, most FIDO2 authenticators support PIN but not UV.
So, when the device reports clientPin=false, that means that a PIN is supported but is not set? If the token does not support a PIN the clientPin indication should not even exist?
Yes, that's correct.
Kind regards,
-p.
Dear Pedro,
Thank you for your prompt and clear explanation.
Sorry for the noise, I'm still trying to get acquainted with the intrinsics of FIDO2,and those simple explanations are not easy to find in the tones of marketing stuff.
Best regards,
A. Zúquete
On 07/05/2023 18:40, pedro martelletto wrote:
Thank you for your response. What does UP means? User Presence? Could you elaborate a bit?
In FIDO2, User Presence (UP) indicates that someone has interacted with the authenticator to authorise an operation, typically through touch. On the other hand, User Verification (UV) signifies that, to a reasonable degree of confidence, the person who authorised an operation was the same individual who previously enrolled a secret, such as a fingerprint or a PIN, on the device.
While a PIN can be used to achieve UV, the two terms are separate concepts in FIDO2, with UV being reserved for methods of user verification that are entirely built-in to the authenticator, such as facial recognition or fingerprint matching. In this sense, most FIDO2 authenticators support PIN but not UV.
So, when the device reports clientPin=false, that means that a PIN is supported but is not set? If the token does not support a PIN the clientPin indication should not even exist?
Yes, that's correct.
Kind regards,
-p.
— Reply to this email directly, view it on GitHub https://github.com/Yubico/libfido2/issues/695#issuecomment-1537501546, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGADOY6RWQH75DHAIKW6ECDXE7M7DANCNFSM6AAAAAAXYZZMRY. You are receiving this because you authored the thread.Message ID: @.***>
-- Prof. André Ventura Zúquete
DETI / IEETA, Univ. of Aveiro
e-mail: @.***
Campus Univ. de Santiago, 3810-193 Aveiro
Phone: +351 234 370504
Portugal
URL: http://wiki.ieeta.pt/wiki/index.php/Andr%C3%A9_Z%C3%BAquete Zoom: https://videoconf-colibri.zoom.us/my/andre.zuquete
What version of libfido2 are you using?
1.13.0
What operating system are you running?
Ubuntu 22.04.2 LTS, 5.15.0-67-genereric kernel
What application are you using in conjunction with libfido2?
My own
How does the problem manifest itself?
Some fido_dev_supports_XXX give a wrong indication for a Feitian MultiPass FIDO device. I checked the libfido2 code and I guess the source of the problem is the interpretation that is made of the flags/options deported by the device. This device reports up=true (instead of uv=true), so the function fido_dev_supports_uv returns FALSE. This device reports clientPin=false, so the flags field gets a FIDO_DEV_PIN_UNSET, which latter make fido_dev_supports_pin to return TRUE.
Is the problem reproducible?
Yes.
What are the steps that lead to the problem?
Explained before.
Does the problem happen with different authenticators?
Could not check.
Please include the output of
fido2-token -L
.fido2-token -L
Please include the output of
fido2-token -I
.fido2-token -I
Please include the output of
FIDO_DEBUG=1
.FIDO_DEBUG=1