Comments (1)
robin-nitrokey
commented on August 15, 2024
1
I’m not quite sure why the PIN is required at all as we set uv to discouraged. Looking at the source code, these lines in the fido2 library trigger the PIN verification:
elif mc and uv_configured and not self.info.options.get("makeCredUvNotRqd"):
return Truehttps://github.com/Yubico/python-fido2/blob/1.1.1/fido2/client.py#L491-L492
This effectively means that the uv value is ignored for makeCredential unless the makeCredUvNotRqd option is set. The relevant info in the FIDO2 spec is:
Note: For backwards compatibility, platforms must be aware that FIDO_2_0 (aka CTAP2.0) authenticators always require some form of user verification for authenticatorMakeCredential operations. If a platform attempts to create a non-discoverable credential on a CTAP2.0 authenticator without including the "uv" option key or the pinUvAuthToken parameter that authenticator will return an error. In contrast, a FIDO_2_1 (aka CTAP2.1) authenticator with the makeCredUvNotRqd option ID (set to true) in the authenticatorGetInfo response structure, will allow creation of non-discoverable credentials without requiring some form of user verification.
As far as I see, the Nitrokey 3 does not set this option. So we could probably fix this problem at the root and remove the PIN requirement if we add this option to fido-authenticator.
from pynitrokey.
Related Issues (20)
- nitropy slow on Librem5 HOT 6
- Add fido2 get-info command
- nk3: Add PIN overview HOT 2
- libusbsio.so 'symbol not found' error on musl based Linux HOT 2
- NonUniqueDeviceError while Yubikey NEO is connected HOT 2
- Dependency on libnitrokey 3.6.0 ? HOT 4
- nk3 secrets: informational output should go to stderr
- freebsd 13.2 installation pynitrokey HOT 2
- Update to spsdk 2.0.0 HOT 8
- allow setting touch required and/or pin required for hmac-sha1 HOT 4
- Exception encountered: AttributeError("DynamicSchema({'realName': 'metrics', 'role': <DynamicSchema: 'Metrics'>}) has no attribute 'realName'") HOT 1
- Exception encountered: ApiTypeError("SystemInfo is missing 1 required argument: ['buildTag']") HOT 1
- secrets: providing password through cli is bad HOT 2
- nk3 secrets add-password quick help needs clarification
- packaging for Debian HOT 1
- Sign release artifacts
- secrets: Sort and filter credentials
- improve wording for fido2 reset
- nkpk: test skips the status test
- nk3 secrets: Ramdomly generate challenge-response secret
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pynitrokey.