Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stepup-webauthn requests a PIN code to be set when enrolling FIDO2 #163

Open
phavekes opened this issue Nov 30, 2024 · 5 comments
Open

Stepup-webauthn requests a PIN code to be set when enrolling FIDO2 #163

phavekes opened this issue Nov 30, 2024 · 5 comments
Labels

Comments

@phavekes
Copy link
Member

This issue is imported from pivotal - Originaly created at Apr 11, 2024 by Peter Havekes

Before the php8/sf6 update, no pin was required when enrolling

@phavekes phavekes self-assigned this Nov 30, 2024
@phavekes
Copy link
Member Author

(Peter Havekes - Apr 11, 2024)

@phavekes
Copy link
Member Author

Het vragen om de PIN zet je uit door AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED te zetten. Maar als ik dat via config/packages/webauthn.yaml probeer aan te passen lijkt dat geen effect te hebben
(Peter Havekes - Apr 12, 2024)

@phavekes
Copy link
Member Author

My experience on the new app:

Given: Ive set a PIN on my FIDO2 token

When I register a new FIDO2 token on the sa.surfcontext.nl
Then I'm prompted to fill in my pin
And I can succesfully register my token

When I do the same on the upgraded webauthn gssp
Then after stating my PIN, i see a JS error stating:

"The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission." (Michiel Kodde - Apr 15, 2024)

@phavekes
Copy link
Member Author

My experience in the 'old' app:
Given: I've not set a pin on the FIDO2 token
When I register a new FIDO2 token on the sa.surfcontext.nl
Then I'm not prompted to fill in my pin
And I can succesfully register my token

When I do the same on the upgraded webauthn gssp
I'm required to set a pin, before I can continue (Peter Havekes - Apr 15, 2024)

@phavekes
Copy link
Member Author

Interesting read on how Yubikey PINs behave in FIDO and FIDO2: https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
  • There is only one FIDO PIN per Yubikey token
  • The U2F ("FIDO 1") standard does not have a userVerification (e.g. a PIN), only FIDO 2 does, so disabling FIDO2 on a Yubikey token abd reverting it to U2F disables the password prompt and still allows you to authenticate using the token when the would client accepts this (i.e. does not require userVerification)
  • Because we do not use the tokens as a second factor, we do not want userVerification as that is the role of the first factor. (Pieter van der Meulen - May 13, 2024)

@phavekes phavekes removed their assignment Nov 30, 2024
@phavekes phavekes transferred this issue from OpenConext/Stepup-Project Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: New
Development

No branches or pull requests

1 participant