search

github / SoftU2F

Software U2F authenticator for macOS
MIT License
2.21k stars 160 forks source link

SoftU2F has very short timeout with webauthn #50

Closed subyraman closed 4 years ago

subyraman commented 6 years ago

Thanks for using Soft U2F. I'm sorry that you've encountered a bug.

System information

To aide in debugging, please provide the output from running the following commands:

What browser are you using?

Chrome with the Web Authentication flag enabled.

sw_vers

10.13.3

I have confirmed that SoftU2F is installed and running. Example of how to duplicate this bug:

  1. Enable the Web Authentication flag in Chrome 65
  2. On https://webauthn.bin.coffee/, register a credential
  3. Attempt to authenticate with the credential.
  4. Wait for more than 3 seconds.
  5. Click accept on the SoftU2F notification. !6. the authentication silently fails

Is SoftU2F not respecting the timeout sent from the webauthn api? Is there a constant or the like to make it successful?

btoews commented 6 years ago

I can reproduce this. Looking at the debugging output from Soft U2F, I see the registration response being sent. After the timeout, if I kill the Soft U2F process and restart it I see it receive another, identical register request.

Is SoftU2F not respecting the timeout sent from the webauthn api? Is there a constant or the like to make it successful?

The "U2F protocol" doesn't have any notions of timeouts as far as I remember. The HID protocol does, so maybe it's an issue there.

I haven't looked into Chrome's webauthn implementation yet. Do you happen to know if there's any way to get debugging output from it? It used to be possible to get HID-level debugging info from the internal Chrome extension where U2F was implemented.

subyraman commented 6 years ago

I'm unsure myself about getting debugging information from the browser-authenticator communication process, I haven't stumbled on anything like that!

Looking at the authenticatorGetAssertion method in the spec it doesn't seem like a timeout is explicitly passed to the authenticator; but ~3 seconds does seem a bit short, especially for people with accessibility concerns.

btoews commented 6 years ago

The high-level JavaScript API for U2F also had a timeout parameter, but that only dictated how long the browser would wait on a device before giving up. It wasn't used in the U2F protocol (between the browser and security key).

ejholmes commented 6 years ago

FWIW, webauthn also doesn't work for me in latest Chrome/Firefox.

  1. Go to https://webauthn.org
  2. Attempt to register.
  3. Hit "Approve" in the SoftU2F prompt.
  4. Nothing happens.

The SoftU2F daemon prints some output ("Sending frame:..."), but not sure how to interpret (I can post the logs here if it's useful). Webauthn works fine for me with my yubikey.

btoews commented 6 years ago

It looks like this is even more broken in Chrome now. I'm seeing this error

NotAllowedError: The operation is not allowed at this time because the page does not have focus.

CyberFlameGO commented 4 years ago

I think this is fixed.

btoews commented 4 years ago

Nice. It does seem to work in Chrome now.