Open Thesola10 opened 2 years ago
Here is a Logcat dump, with the app set to "Debug" logging:
https://gist.github.com/Thesola10/98146c3db20051ffacf07598ea84202f
Documentation for systemd-homed
states that the hmac-secret
extension is required. Maybe that's the issue?
Yep, that's the issue. Since hmac-secret
is required for any kind of offline login features and these are becoming more and more popular, it would be a great feature to add. I'm a bit constrained on time atm and would definitely welcome and support contributions.
Your comment in #5 mentions that hmac-secret
is supported, what does that mean exactly?
It is implemented according to my understanding of the spec back at the time, but I remember the spec being unclear about some things (see https://github.com/fmeum/WearAuthn/blob/35b2e913a433621ab67d065aae48fbe1bfb121fd/authenticator/src/main/java/me/henneke/wearauthn/fido/ctap2/Authenticator.kt#L354). Also, since there wasn't any application to test the feature with, it may be broken.
Given the --fido2-with-user-presence=false
flag on homectl
, it appears that a hmac-secret
client might be able to not require user presence?
Browsing through the logcat, weirdly enough, there's never an error or warning on the watch side of things, not even a claim of a "malformed message".
Pausing the authentication process before the second step yields an interesting behavior: WearAuthn logs absolutely nothing. The issue might be on systemd
's side.
PS: The WearAuthn watch does not show up when I do homectl update --fido2-device=list
, whereas my Yubikey does. That command should list all hidraw
devices recognized by libfido2
, so the issue might be on libfido2
's side?
Managed to get libfido2
logging info by patching homectl
:
https://gist.github.com/Thesola10/4639fdb4d5d82e8d0fc1251aacb81219
any update?
What went wrong?
systemd-homed
is a software solution for Linux user accounts that accepts FIDO2 tokens as an alternative for the user password, essentially providing a Chromebook- or macOS-esque "Log in with watch" feature if combined with WearAuthn.And that's where the issue occurs:
systemd-homed
fails to register my watch as a login token.Steps to reproduce
systemd-homed
homectl update --fido2-device=/dev/hidraw2
to register the watch as a login token (exacthidraw
path may vary)io.systemd.home
("Home Directory"), accept it.systemd-homed
then errors out with the following error:WebAuthn works perfectly through Firefox, through Flatpak, so it can't possibly be a permissions issue.
On a USB Yubikey, the correct behavior is that the key asks for presence twice. On WearAuthn, the second confirmation never happens.
Which model is your watch? Fossil Q Explorist Gen 4
Which Android version is running on your watch? Wear OS 2.34
Which version of WearAuthn are you using? 0.9.17 (Google Play)
I don't know how useful it is, but the app version also mentions "Credentials storage: Hardware".