-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
githubs u2f appid changed #474
Comments
|
btw I saw some discussion in the other PR regarding fido2 not using facets (urls) any more. That seems to be the case so that companies that use multiple domains can reuse the registration for all domains. https://groups.google.com/a/fidoalliance.org/forum/#!msg/fido-dev/zP7XTnEywB4/uLN68lQdBwAJ https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Migrating_from_U2F.html |
Very useful! That image on https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Migrating_from_U2F.html tells me it was probably a good decision to not include Instead, we would need to recognize WebAuthn apps and prepend |
If I try to register with facebook right now I get
So it seems to me that if you use a modern enough browser that has webauthn support both github and facebook has skipped the comp. layer and gone with the new standard. It could be that they provide the appId if you registered the u2f-key with them before they switched to webauthn (they would need to tag every new registered device if it is registered using u2f api or webauthn api.) All-in-all I think the bb02 will have to have both. The old one for people who registered with services before webauthn and the new one for everyone else.
Only the browser could do that. The bb02 only gets the hash. I think this would be an accurate description:
|
When I register the bb02 with github I get the "new hash": If I understood this correctly, people who have already registered with github long time ago will receive the "old" hash? @NickeZ |
AFAIU we can add both yes. |
I think the new IDs are called Relaying Party ID or RPID. So I think the code should distinguish if it is an RPID or an AppID. |
Exactly. And that's what worried me. So, I grabbed a U2F demo and changed this line to: const appId = 'github.com' I then tried it on I also tried setting RP ID and AppID to So, I don't see any security issues. Only some potential migration troubles for existing users on github and others which implemented WebAuthn with U2F extension. |
I don't know why they removed the schema from the ID. Fortunately it still looks like they only allow a subdomain of the RPID given. https://www.w3.org/TR/webauthn/#relying-party-identifier I think the bb02 firmware should have two structs, one with appids and one with rpids. Then for u2f you search both and for fido2/passwordless/loginless you only search rpids. Does that sound reasonable? |
Yes! but what about FIDO2 + U2F extension? esp. for existing users who already tied their bitbox to an account using U2F which is now FIDO2, like github. |
I think it is up to GitHub to implement the portability and show the appid in case you registered when they used appid. Since they have to store the keyhandle they could also store the creation date or some metadata that allows them to present the right ID to the bb02 |
Since the BB02 only receives the hash wouldn't it be sufficient to just append more entries to the list we have atm and just distinguish them by stating type (AppID/RPID)? |
I saw this PR: #472 and remembered that I've noticed that githubs appid changed. Not sure exactly when. IIRC it is just
sha256('github.com')
now.The text was updated successfully, but these errors were encountered: