FIDO testers wanted

Support
1

Do you own an Apex or any other NXP P71 device?

Developing the FIDO U2F and FIDO2 applets is a big effort and I need more test data.

Please test the U2F as well as the FIDO2 applet against every device and app / website you can think of, and then report back with the device name, operating system (+ version), browser (+ version) and service URL.

For Android notes, see flexsecure-applets/4-android.md at master · DangerousThings/flexsecure-applets · GitHub .

Also do note that user verification (PIN) is not yet implemented, so that’s not a valid reason for failing the test (as of now).

Known configurations:

Device: Samsung S9
OS: Android 11 Stock + Google Play Services (Sept 2022)
Software: Chrome, Firefox
Website: Yubico demo website
Result: U2F works, FIDO2 does not.
Reason: Stock Google Play Services do not implement support for FIDO2 (yet, at least for this phone). U2F fallback is required.

Device: Samsung S9
OS: Android 11 Stock + Google Play Services (Sept 2022)
App: https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example
Result: U2F and FIDO2 both function correctly

Device: Samsung S7
OS: LineageOS 9 + patched microG v0.2.25.223616
Software: Chrome, Firefox
Website: Yubico demo website
Result: U2F and FIDO2 both function correctly
Reason: I patched microG (Pull requests · microg/GmsCore · GitHub)

Device: Samsung S7
OS: LineageOS 9 + patched microG v0.2.25.223616
Software: Fennec F-Droid
Website: Yubico demo website
Result: Neither U2F or FIDO2 work at all
Reason: Fennec does not yet implement the security manager API

Device: Samsung S7
OS: LineageOS 9 + patched microG v0.2.25.223616
App: https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example
Result: U2F and FIDO2 both function correctly

Device: PC + SCL011 reader
OS: Windows 10
Software: Chrome, Firefox, Edge, FIDO testing tools
Website: Yubico demo website
Result: U2F and FIDO2 both function correctly

Device: PC + SCL011 reader
OS: Linux
Software: Chrome, Firefox
Website: Yubico demo website
Result: Neither U2F or FIDO2 work at all
Reason: The used FIDO libraries dont have NFC or PC/SC transport enabled yet

I am especially interested in people testing on Apple devices, and recent Android devices. Thank you!

Edit: Please make sure to always do a fresh applet reinstall before each testing session! I update the applets in the Fidesmo backend from time to time.

10 Likes
2

Device: PC + ACR122 reader
OS: Windows 11
Software: Edge, Firefox, Chrome
Website: Yubico demo website
Result: Both work

Edit: If you see this, it means you didn’t hold it there long enough, be smarter than me.
WhereItFails

3

Thanks for the tests!

Interesting, for me Edge and Firefox work great with U2F as well as FIDO2 on Windows 10, both using the ACR122U as well as the SCL011.

Chrome however does not today, displaying “Problem talking to the RP. Try again or refresh the page.”. I suppose thats a problem with my PC though.

Did you use the most recent version of the Applets? I.e. uninstall them and reinstall them via Fidesmo? I updated the binaries like one or two days ago.

Windows 11 unfortunately contains some regressions. You can try increasing the transaction timeout for smartcards, see https://support.yubico.com/hc/en-us/articles/360020178219-Troubleshooting-RDP-Latency § " Increase transaction timeout" .

Also, the communication may take up to 1-2 seconds, so make sure you get a good and uninterrupted read.

I have not used Windows 11, but usually only one tap is required. The prompt to tap the token again is usually displayed if the connection broke unexpectedly.

1 Like
4

i only see one tap as well on win 11 but there are sometimes two dialog pop-up windows in a row… only need to tap token with last / 2nd one though.

5

The ACR122U (at least some models) cannot do extended APDUs: Unsupported or partly supported CCID readers . In theory the OS should then fall back to chained APDUs for FIDO2, but no idea if that actually happens.

6

Device: PC + ACR122u
OS: windows 10 pro
software: windows hello
apex applet: fido

result. im able to read it and ‘reset the security key’ but unable to use further

image
image3690×1073 86.5 KB

image
image913×370 6.05 KB

pressing manage just has me reset the security key again

7

Windows Hello is not supported, and wont be until we finish up the implementation and acquire a certification from both FIDO and Microsoft, which is a long, expensive, and bureaucratic process.

(But we will)

5 Likes
8

… one we do plan on going through :slight_smile:

6 Likes
9

Edit: I was dumb, and didn’t hold it there long enough, in my defense “tap” doesn’t suggest to leave it there for a few seconds. Everything works when you do that.

2 Likes
10

Device: samsung s9+
OS: android 10
Software: facebook app
U2f :+1:
Fido :-1:
Software: keepassdx, f-droid
U2f :-1:
Fido :-1:

11

Device: samsung S21 5G
OS: android 12
Software: bitwarden (firefox mobile browser)
U2f :+1:
Fido :-1:
Software: bitwarden mobile app
U2f :+1:
Fido :-1:

12

Here are my results. I have around 10-20 different Android phones at home.

Device: Google Pixel 6 Pro
OS: Android 13
Software: Google Chrome (and webview)
U2f :+1:
Fido :+1:
Fido2 :-1:
Software: WebAuthn - FIDO2 Example App
U2f :+1:
Fido :+1:
Fido2 :+1:

Device: OnePlus 7 Pro
OS: Kali Nethunter (Android 10) [OxygenOS 10.0.3GM21AA]
Software: Google Chrome (and webview)
U2f :+1:
Fido :+1:
Fido2 :-1:
Software: WebAuthn - FIDO2 Example App
U2f :+1:
Fido :+1:
Fido2 :+1:

UPDATE: I added Fido2 testing as I was using the U2F applet before.

I will test with some of the other recent ones when I get home on Monday.

1 Like
13

Is there any way to use my ACR122u for FIDO on my Mac like others are doing on Windows?

14

This guy has a lot of resources…

Might have some ideas for Fido on macos with contactless reader.

Maybe check chrome or another browser with better Fido support. According to this; Expanded Support for FIDO Authentication in iOS and MacOS - FIDO Alliance it seems apple built their own Fido support based on touch id and face id for Safari but that’s only for apple authenticators using touch id and face id. I doubt they would also support contactless readers that would compete with their attempt to fully monopolize their customers digital identity.

1 Like
15

New call for testing!

The FIDO2 applet available via Fidesmo has just been updated and now comes with a few new features!

Changelog:

  • Conform to the FIDO2 Full Feature profile
  • Implement HMAC-secret extension
  • Implement non-resident keys
  • Implement Client PIN protocol 1
  • Add support for legacy RSA type keys
  • Use less memory
  • A lot of bugs fixed

Please report any issues you find, and feel free to test! (You have to re-install the applet via Fidesmo, which will delete your keys).

4 Likes
16

got an odd error testing fido2 using vsmartcard remote-reader app on android with webauthn.me registration… “tag lost” error… but only with fido2 applet… u2f works fine… acr1252u reader works fine with fido2 applet… so this is more of a bug report for vsmartcard / remote-reader than anything else i guess.

17

Sometimes the connection times out because key generation takes a bit, plus the added latency of the network connection. Make sure to increase the timeout in the settings of the reader app, and maybe even in the Windows registry for the smartcard stack (see https://support.yubico.com/hc/en-us/articles/360020178219-Troubleshooting-RDP-Latency)

18

I’ve written up some of the experimentation I’ve done here: Question about FIDO2 capabilities of Apex Flex - #11 by SteffanDonal

So far I’ve not run into any issues that I’ve deemed to be specifically the FIDO2 applet on my Apex Flex :raised_hands:

1 Like
19

The next bugfix update will be accompanied by the public release of a development tool I wrote.

This tool interfaces the Linux kernel and provides a translation bridge between the USB CTAPHID drivers of Firefox / Chrome and the PC/SC NFC drivers. Previously, Using NFC FIDO was not possible on Linux (out of the box, yet, I still hope for first-party support), now it is. Sneak peek:

5 Likes
20

New call for testing! We are getting ever closer to full spec compliance and certification. All of the planned features for the first version (aka CTAP2.0) have now been implemented, what comes now is a lot of testing and bugfixing. What you might like is the fact that this version now supports cross-compatible credentials between the FIDO2 and U2F interfaces of this applet, which means you can use the same token on your iPhone (which only does FIDO2) and Android (which only does U2F). Also, the overall stability has been improved.

The FIDO2 applet available via Fidesmo has just been updated and now comes with a few new features!

Changelog:

  • General
  • New features
    • Implemented credProtect extension
    • Implemented U2F fallback interface with full credential inter-compatibility
  • Changes
    • User presence is now enforced. This means that consecutive operations might require extra taps on the NFC reader.
    • Removed all heap allocations, applet now runs in constant amount of memory which is faster and more stable
    • Reduced RAM usage by heavily re-using internal buffers
    • Reduced installation size
    • Improved encoding for stored credentials, uses less persistent storage

Please report any issues you find, and feel free to test! (You have to re-install the applet via Fidesmo, which will delete your keys).

Also, as promised, the Linux CTAP2 FIDO2 bridge can be found at GitHub - StarGate01/CTAP-bridge: FIDO2 PC/SC CTAPHID Bridge . It was public all along, haha! If you have questions or problems concerning that tool, please file an issue in the repository.

Known bug: The FIDo2 / WebAuthN Example App has a bug when using the U2F mode of the FIDO2 tab where it crashes upon registration. Use the dedicated U2F tab for testing. This bug is due to the app not implementing the U2F spec properly (https://matrix.to/#/#hwsecurity:stratum0.org) . In future versions of the applet we might work around this, however that is not really relevant for real-world usage.

8 Likes