Open prusnak opened 5 years ago
My1
commented
1 year ago ideally any decent fido2 enabled device should work for testing, like I currently only know one that has actual FIDO2 but no hmac (being the Mooltipass). but having a trezor or otherwise backup-enabled FIDO2 device is even better as you can potentially do all the key math and replicate stuff, not sure if it's possible to MITM the FIDO2 proto tho
prusnak
commented
1 year ago ideally any decent fido2 enabled device should work for testing,
Having Trezor Model T is great for testing, because not only it implements full FIDO2 spec including hmac-secret and resident credentials, but also you can also see what's happening by looking at its display (where you are shown the confirmation screens).
My1
commented
1 year ago yeah this is a reason I also thought about getting one but if I am just gonna use it as a FIDO device it's WAY too expensive. (and sadly ledger after doing something after years of promises, left out the nano S, and the T1 also has no FIDO2 sadly)
ashleysommer
commented
1 year ago @banym Support for Nitrokey FIDO2 will be part of this new feature, do you wish to add your bounty (you proposed back in January 2020) to that of @anton-isidore?
ashleysommer
commented
1 year ago Anyone interested, I have created a discussion thread about the specifics of the "hmac-secret" implementation, here: https://github.com/keepassxreboot/keepassxc/discussions/9506
t4nature
commented
1 month ago @My1
it's not about the security Key series being older, the "blue yubis" as I call them as they traditionally have been blue always were FIDO-only
Yes, that was bad phrasing on my part. I am aware they still sell the "security key" series. It just happens that my particular one is around 4 years old. My new Yubikey is a 4C, only a year old, so I call them "my old Yubikey" and "my new Yubikey", but I know in reality they are different product segments, and the age of them does not dictate the feature set.
@robinschwab
Just bear in mind there are other interfaces than USB. NFC is needed on smartphones and supported by many laptops.
KeepassXC does not run on Android or IOS. I don't know if any of the Linux phones have NFC. I don't think NFC is a great requirement for this feature.
I think the Trezor Emulator might be helpful for you
FIDO2 standard (the superset of the older U2F standard) includes hmac-secret extension introducing behaviour similar to older Yubikey HMAC-SHA1 Challenge-Response merged in https://github.com/keepassxreboot/keepassxc/pull/127 but much more universal as FIDO2 is an open standard.
We could try to expand the current Challenge-Response implementation in KeePassXC to cover this too (using libfido2) which will make KeePassXC compatible with any FIDO2 dongle.
This will satisfy https://github.com/keepassxreboot/keepassxc/issues/3450 and any other vendor-specific requests in the future.