Open w0ndersp00n opened 5 years ago
w0ndersp00n
commented
5 years ago So I figured out that when Windows asks to enter a PIN, you need to press the key in order for it to save it.
It however still seems that updating the key on the website using the regular procedure doesn't work. When choosing the advanced option it is possible to update the key.
nickray
commented
5 years ago Does the recently merged https://github.com/solokeys/solo-webupdate/pull/20 fix this for you?
w0ndersp00n
commented
5 years ago I just tried this out on Firefox. It still specifically asks for a PIN. Then I tried it in Edge, which is completely stock, but it also asks for a PIN, even just to inspect the key.
After entering my PIN, the browser asks me to press the button. After I've done that, there is no possibility yo update the key. The only way is via advanced mode, which is the way I've used every time as of now.
My1
commented
5 years ago hm weird. I dont really use FF and edge but never had any problems in opera so far and after that fix I hacked in, I think I never got any pin prompts, and even less presence prompts.
w0ndersp00n
commented
5 years ago I personally try to stay away from Chromium based browsers. However, I just installed Opera and these are my findings:
So it indeed seems that the update tool doesn't play nice with browsers that are not Chromium based.
My1
commented
5 years ago are you runniung windows 10 1903 or later? if yes that's the reason apparently. I generally stay away from w10 as far as I can so I didnt catch them.
apparently they steal the Fido2 away which totally screws everything. on older w10, win8.1 as well as Kubuntu 18.04 I dont get any pin prompt at all.
can be seen by the fact that the Fido2 request doesnt get processed by a Chrome pup-up but a window called "windows Security"
just for reference, a native firefox prompt should look a bit like this:
and this is chrome
otherwise something else is taking your your requests, like in that case w10
w0ndersp00n
commented
5 years ago Right, I see! I'm indeed using Windows 10 1903. And I'm always getting the Windows prompt, in every browser:
So the issue here might be Windows instead of the browsers! I guess this might be related to #5 ?
My1
commented
5 years ago while I dont really use windows 10 I think it certainly might be plausible that it is related to said issue, so the interesting question would be whether the update on 1903/opera actually does work and not just the "flashing firmware" appearing half randomly, no idea whether downgrading solo is safe or even possible but unless there just happens to be someone with an outdated solo or we get a new fw to play the update scenario on 1903.
but update aside I wonder whether skipping PINs works in any way in 1903 in the first place. I have a fun little sandbox for webauthn stuff: https://my1.dev/wa/_test/client.html can you go here, flip the user verification to discouraged and try to register and login using your key? this might shed some light on the chaos that is 1903
w0ndersp00n
commented
5 years ago Allright, so in Opera I tried this. When pressing the "New registration" button, I also get the "Enter your PIN" prompt:
When I cancel the prompt I receive this error from the website:
The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.
If I enter my pin, I have to touch the key. Then Opera asks me if I want to confirm the action:
After that, registration is complete.
I btw have another Solo Key, which isn't updated yet, so I can help out with that key as well.
My1
commented
5 years ago but checking should not require the pin right?
I mean technically windows is doing the right thing as Fido2 spec for some crazy reason says that a registration operation has to require a PIN. (one of the 2 things that make FIDO2 really annoying instead of super awesome)
w0ndersp00n
commented
5 years ago That's right. Registering the key requires a PIN. Checking the key only requires me to press the button on the key.
My1
commented
5 years ago Now that's something we might be able to work with.
Question for the solo people. Webauthn has extensions, does fido2 as well? And most notably, are custom extensions possible and if yes, how are browsers and other clients supposed to work with the requests from the rp and the responses from the authenticator? Just pass through?
If yes this would allow for some ways to work with this by masking everything instead of register into authenticate requests, which at the very least can pass the inspection. Updating may be chaotic though with windows passing in.
@w0ndersp00n does one of your solos perhaps not have a pin set? If yes that might be an interesting target for some more plays as the register - > force pin flow only exists for devices that currently have a pin set, so no pin = no problems.
w0ndersp00n
commented
5 years ago To bad I've set a PIN already for both, since there was no other way for me to update the keys. I don't know if it is possible to remove the PIN afterwards?
My1
commented
5 years ago only reset. which wipes both the Resident keys and the Master Secret for the normal credentials, obviously sux but kinda makes sense
I'm trying to update my Solo to the latest firmware. I followed the instruction. When I insert the key, it's current firmware release is recognized. However, when choosing 'Inspect Key', every browser (Firefox, Edge, Chrome) asks me to setup a PIN. So I enter a PIN, but the Solo's LED turns into a solid red and Windows complains it is unable to setup the PIN.
When I cancel out of that screen, the inspect key button never works.
Thanks!