search

fmeum / WearAuthn

Use your Wear OS watch as a FIDO2 security key via Bluetooth and NFC.
https://play.google.com/store/apps/details?id=me.henneke.wearauthn.authenticator
MIT License
183 stars 7 forks source link

Does not work with `systemd-homed` #18

Open Thesola10 opened 2 years ago

Thesola10 commented 2 years ago

What went wrong? systemd-homed is a software solution for Linux user accounts that accepts FIDO2 tokens as an alternative for the user password, essentially providing a Chromebook- or macOS-esque "Log in with watch" feature if combined with WearAuthn.

And that's where the issue occurs: systemd-homed fails to register my watch as a login token.

Steps to reproduce

  1. Pair watch with Linux computer running systemd-homed
  2. Run homectl update --fido2-device=/dev/hidraw2 to register the watch as a login token (exact hidraw path may vary)
  3. The watch displays a confirmation for io.systemd.home ("Home Directory"), accept it.
  4. systemd-homed then errors out with the following error:
Initializing FIDO2 credential on security token.
πŸ‘† (Hint: This might require confirmation of user presence on security token.)
-- (this is where the first confirmation succeeds)
Generating secret key on FIDO2 security token.
Failed to ask token for assertion: FIDO_ERR_INTERNAL
-- (nothing shows up on the watch)

WebAuthn works perfectly through Firefox, through Flatpak, so it can't possibly be a permissions issue.

On a USB Yubikey, the correct behavior is that the key asks for presence twice. On WearAuthn, the second confirmation never happens.

Which model is your watch? Fossil Q Explorist Gen 4

Which Android version is running on your watch? Wear OS 2.34

Which version of WearAuthn are you using? 0.9.17 (Google Play)

I don't know how useful it is, but the app version also mentions "Credentials storage: Hardware".

Thesola10 commented 2 years ago

Here is a Logcat dump, with the app set to "Debug" logging:

https://gist.github.com/Thesola10/98146c3db20051ffacf07598ea84202f

Thesola10 commented 2 years ago

Documentation for systemd-homed states that the hmac-secret extension is required. Maybe that's the issue?

fmeum commented 2 years ago

Yep, that's the issue. Since hmac-secret is required for any kind of offline login features and these are becoming more and more popular, it would be a great feature to add. I'm a bit constrained on time atm and would definitely welcome and support contributions.

Thesola10 commented 2 years ago

Your comment in #5 mentions that hmac-secret is supported, what does that mean exactly?

fmeum commented 2 years ago

It is implemented according to my understanding of the spec back at the time, but I remember the spec being unclear about some things (see https://github.com/fmeum/WearAuthn/blob/35b2e913a433621ab67d065aae48fbe1bfb121fd/authenticator/src/main/java/me/henneke/wearauthn/fido/ctap2/Authenticator.kt#L354). Also, since there wasn't any application to test the feature with, it may be broken.

Thesola10 commented 2 years ago

Given the --fido2-with-user-presence=false flag on homectl, it appears that a hmac-secret client might be able to not require user presence?

Thesola10 commented 2 years ago

Browsing through the logcat, weirdly enough, there's never an error or warning on the watch side of things, not even a claim of a "malformed message".

Pausing the authentication process before the second step yields an interesting behavior: WearAuthn logs absolutely nothing. The issue might be on systemd's side.

PS: The WearAuthn watch does not show up when I do homectl update --fido2-device=list, whereas my Yubikey does. That command should list all hidraw devices recognized by libfido2, so the issue might be on libfido2's side?

Thesola10 commented 2 years ago

Managed to get libfido2 logging info by patching homectl:

https://gist.github.com/Thesola10/4639fdb4d5d82e8d0fc1251aacb81219

Thesola10 commented 3 months ago

any update?