FIDO testers wanted

Do you own an Apex or any other NXP P71 device?

Developing the FIDO U2F and FIDO2 applets is a big effort and I need more test data.

Please test the U2F as well as the FIDO2 applet against every device and app / website you can think of, and then report back with the device name, operating system (+ version), browser (+ version) and service URL.

For Android notes, see flexsecure-applets/4-android.md at master · DangerousThings/flexsecure-applets · GitHub .

Also do note that user verification (PIN) is not yet implemented, so that’s not a valid reason for failing the test (as of now).

Known configurations:

Device: Samsung S9
OS: Android 11 Stock + Google Play Services (Sept 2022)
Software: Chrome, Firefox
Website: Yubico demo website
Result: U2F works, FIDO2 does not.
Reason: Stock Google Play Services do not implement support for FIDO2 (yet, at least for this phone). U2F fallback is required.

Device: Samsung S9
OS: Android 11 Stock + Google Play Services (Sept 2022)
App: https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example
Result: U2F and FIDO2 both function correctly

Device: Samsung S7
OS: LineageOS 9 + patched microG v0.2.25.223616
Software: Chrome, Firefox
Website: Yubico demo website
Result: U2F and FIDO2 both function correctly
Reason: I patched microG (Pull requests · microg/GmsCore · GitHub)

Device: Samsung S7
OS: LineageOS 9 + patched microG v0.2.25.223616
Software: Fennec F-Droid
Website: Yubico demo website
Result: Neither U2F or FIDO2 work at all
Reason: Fennec does not yet implement the security manager API

Device: Samsung S7
OS: LineageOS 9 + patched microG v0.2.25.223616
App: https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example
Result: U2F and FIDO2 both function correctly

Device: PC + SCL011 reader
OS: Windows 10
Software: Chrome, Firefox, Edge, FIDO testing tools
Website: Yubico demo website
Result: U2F and FIDO2 both function correctly

Device: PC + SCL011 reader
OS: Linux
Software: Chrome, Firefox
Website: Yubico demo website
Result: Neither U2F or FIDO2 work at all
Reason: The used FIDO libraries dont have NFC or PC/SC transport enabled yet

I am especially interested in people testing on Apple devices, and recent Android devices. Thank you!

Edit: Please make sure to always do a fresh applet reinstall before each testing session! I update the applets in the Fidesmo backend from time to time.

9 Likes

Device: PC + ACR122 reader
OS: Windows 11
Software: Edge, Firefox, Chrome
Website: Yubico demo website
Result: Both work

Edit: If you see this, it means you didn’t hold it there long enough, be smarter than me.
WhereItFails

Thanks for the tests!

Interesting, for me Edge and Firefox work great with U2F as well as FIDO2 on Windows 10, both using the ACR122U as well as the SCL011.

Chrome however does not today, displaying “Problem talking to the RP. Try again or refresh the page.”. I suppose thats a problem with my PC though.

Did you use the most recent version of the Applets? I.e. uninstall them and reinstall them via Fidesmo? I updated the binaries like one or two days ago.

Windows 11 unfortunately contains some regressions. You can try increasing the transaction timeout for smartcards, see https://support.yubico.com/hc/en-us/articles/360020178219-Troubleshooting-RDP-Latency § " Increase transaction timeout" .

Also, the communication may take up to 1-2 seconds, so make sure you get a good and uninterrupted read.

I have not used Windows 11, but usually only one tap is required. The prompt to tap the token again is usually displayed if the connection broke unexpectedly.

1 Like

i only see one tap as well on win 11 but there are sometimes two dialog pop-up windows in a row… only need to tap token with last / 2nd one though.

The ACR122U (at least some models) cannot do extended APDUs: Unsupported or partly supported CCID readers . In theory the OS should then fall back to chained APDUs for FIDO2, but no idea if that actually happens.

Device: PC + ACR122u
OS: windows 10 pro
software: windows hello
apex applet: fido

result. im able to read it and ‘reset the security key’ but unable to use further


pressing manage just has me reset the security key again

Windows Hello is not supported, and wont be until we finish up the implementation and acquire a certification from both FIDO and Microsoft, which is a long, expensive, and bureaucratic process.

(But we will)

5 Likes

… one we do plan on going through :slight_smile:

5 Likes

Edit: I was dumb, and didn’t hold it there long enough, in my defense “tap” doesn’t suggest to leave it there for a few seconds. Everything works when you do that.

2 Likes

Device: samsung s9+
OS: android 10
Software: facebook app
U2f :+1:
Fido :-1:
Software: keepassdx, f-droid
U2f :-1:
Fido :-1:

Device: samsung S21 5G
OS: android 12
Software: bitwarden (firefox mobile browser)
U2f :+1:
Fido :-1:
Software: bitwarden mobile app
U2f :+1:
Fido :-1:

Here are my results. I have around 10-20 different Android phones at home.

Device: Google Pixel 6 Pro
OS: Android 13
Software: Google Chrome (and webview)
U2f :+1:
Fido :+1:
Fido2 :-1:
Software: WebAuthn - FIDO2 Example App
U2f :+1:
Fido :+1:
Fido2 :+1:

Device: OnePlus 7 Pro
OS: Kali Nethunter (Android 10) [OxygenOS 10.0.3GM21AA]
Software: Google Chrome (and webview)
U2f :+1:
Fido :+1:
Fido2 :-1:
Software: WebAuthn - FIDO2 Example App
U2f :+1:
Fido :+1:
Fido2 :+1:

UPDATE: I added Fido2 testing as I was using the U2F applet before.

I will test with some of the other recent ones when I get home on Monday.

1 Like

Is there any way to use my ACR122u for FIDO on my Mac like others are doing on Windows?

This guy has a lot of resources…

Might have some ideas for Fido on macos with contactless reader.

Maybe check chrome or another browser with better Fido support. According to this; Expanded Support for FIDO Authentication in iOS and MacOS - FIDO Alliance it seems apple built their own Fido support based on touch id and face id for Safari but that’s only for apple authenticators using touch id and face id. I doubt they would also support contactless readers that would compete with their attempt to fully monopolize their customers digital identity.

1 Like