Edit: I was dumb, and didn’t hold it there long enough, in my defense “tap” doesn’t suggest to leave it there for a few seconds. Everything works when you do that.
2 Likes
Device: samsung s9+
OS: android 10
Software: facebook app
U2f 
Fido 
Software: keepassdx, f-droid
U2f
Fido
Device: samsung S21 5G
OS: android 12
Software: bitwarden (firefox mobile browser)
U2f
Fido
Software: bitwarden mobile app
U2f
Fido
Here are my results. I have around 10-20 different Android phones at home.
Device: Google Pixel 6 Pro
OS: Android 13
Software: Google Chrome (and webview)
U2f
Fido
Fido2
Software: WebAuthn - FIDO2 Example App
U2f
Fido
Fido2
Device: OnePlus 7 Pro
OS: Kali Nethunter (Android 10) [OxygenOS 10.0.3GM21AA]
Software: Google Chrome (and webview)
U2f
Fido
Fido2
Software: WebAuthn - FIDO2 Example App
U2f
Fido
Fido2
UPDATE: I added Fido2 testing as I was using the U2F applet before.
I will test with some of the other recent ones when I get home on Monday.
1 Like
This guy has a lot of resources…
Might have some ideas for Fido on macos with contactless reader.
Maybe check chrome or another browser with better Fido support. According to this; Expanded Support for FIDO Authentication in iOS and MacOS - FIDO Alliance it seems apple built their own Fido support based on touch id and face id for Safari but that’s only for apple authenticators using touch id and face id. I doubt they would also support contactless readers that would compete with their attempt to fully monopolize their customers digital identity.
1 Like
New call for testing!
The FIDO2 applet available via Fidesmo has just been updated and now comes with a few new features!
Changelog:
- Conform to the FIDO2 Full Feature profile
- Implement HMAC-secret extension
- Implement non-resident keys
- Implement Client PIN protocol 1
- Add support for legacy RSA type keys
- Use less memory
- A lot of bugs fixed
Please report any issues you find, and feel free to test! (You have to re-install the applet via Fidesmo, which will delete your keys).
4 Likes
got an odd error testing fido2 using vsmartcard remote-reader app on android with webauthn.me registration… “tag lost” error… but only with fido2 applet… u2f works fine… acr1252u reader works fine with fido2 applet… so this is more of a bug report for vsmartcard / remote-reader than anything else i guess.
Sometimes the connection times out because key generation takes a bit, plus the added latency of the network connection. Make sure to increase the timeout in the settings of the reader app, and maybe even in the Windows registry for the smartcard stack (see https://support.yubico.com/hc/en-us/articles/360020178219-Troubleshooting-RDP-Latency)
I’ve written up some of the experimentation I’ve done here: Question about FIDO2 capabilities of Apex Flex - #11 by SteffanDonal
So far I’ve not run into any issues that I’ve deemed to be specifically the FIDO2 applet on my Apex Flex 
1 Like
The next bugfix update will be accompanied by the public release of a development tool I wrote.
This tool interfaces the Linux kernel and provides a translation bridge between the USB CTAPHID drivers of Firefox / Chrome and the PC/SC NFC drivers. Previously, Using NFC FIDO was not possible on Linux (out of the box, yet, I still hope for first-party support), now it is. Sneak peek:
5 Likes
New call for testing! We are getting ever closer to full spec compliance and certification. All of the planned features for the first version (aka CTAP2.0) have now been implemented, what comes now is a lot of testing and bugfixing. What you might like is the fact that this version now supports cross-compatible credentials between the FIDO2 and U2F interfaces of this applet, which means you can use the same token on your iPhone (which only does FIDO2) and Android (which only does U2F). Also, the overall stability has been improved.
The FIDO2 applet available via Fidesmo has just been updated and now comes with a few new features!
Changelog:
- General
- Upgraded to JavaCard 3.0.5 to use new memory-efficient algorithms
- Fixed many bugs, mainly edge-cases and encoding related problems for specific clients
- Pass the Google testing and fuzzing suite for FIDO2 (GitHub - google/CTAP2-test-tool: Test tool for CTAP2 authenticators)
- Pass the FIDO Conformance Self‐Validation Testing Tools for U2F and FIDO2
- Finished refactoring, streamlining, and documenting the entire codebase
- Stabilize CTAP2-Bridge (GitHub - StarGate01/CTAP-bridge: FIDO2 PC/SC CTAPHID Bridge)
- Improve spec-compliance of the used authenticated key wrapping encryption algorithm for server credentials
- New features
- Implemented credProtect extension
- Implemented U2F fallback interface with full credential inter-compatibility
- Changes
- User presence is now enforced. This means that consecutive operations might require extra taps on the NFC reader.
- Removed all heap allocations, applet now runs in constant amount of memory which is faster and more stable
- Reduced RAM usage by heavily re-using internal buffers
- Reduced installation size
- Improved encoding for stored credentials, uses less persistent storage
Please report any issues you find, and feel free to test! (You have to re-install the applet via Fidesmo, which will delete your keys).
Also, as promised, the Linux CTAP2 FIDO2 bridge can be found at GitHub - StarGate01/CTAP-bridge: FIDO2 PC/SC CTAPHID Bridge . It was public all along, haha! If you have questions or problems concerning that tool, please file an issue in the repository.
Known bug: The FIDo2 / WebAuthN Example App has a bug when using the U2F mode of the FIDO2 tab where it crashes upon registration. Use the dedicated U2F tab for testing. This bug is due to the app not implementing the U2F spec properly (https://matrix.to/#/#hwsecurity:stratum0.org) . In future versions of the applet we might work around this, however that is not really relevant for real-world usage.
8 Likes
Truly incredible work, well done and thank you.
6 Likes
Thanks for all of your work on this.
Stupid question though: is there a way I can download my current u2f credentials and then reinstall them after I update?
1 Like
No, there is no way to export credentials, by design. FIDO mandates that the secrets keys are generated on the device and never leave the device (in a cleartext format).
Usually a service should enable you to just register a new key.
Thanks. That’s what I thought but so was not sure. Really appreciate your work on the updates.
2 Likes
I just pushed an update to Fidesmo which includes a workaround for the aforementioned bug in the FIDO2 / WebAuthN Example App. Same warnings as always apply, update will delete your keys, etc.
Please report any issues you find.
As to why I even bothered to fix this issue even though it is caused by a third party misinterpreting the specification - this mistake is easy to make and I don’t know which services include the bugged SDK or make the same mistake.
6 Likes
Just to be clear, after a short conversation about this issue, it just made sense to make this modification. It doesn’t restrict our compatibility with any other compliant services and it doesn’t limit our utility either… This update just ensures we can operate with the buggy SDK at no real expense or cost to our utility or interoperability with other services.
4 Likes
Correct, all I did was to invest more time into optimization to reduce the size of the generated credential metadata. This of course is still fully compatible to everything else.
3 Likes
A small update has been released, which fixes some edge-cases in regards to very large credentials.
The applet now properly reports once the chip runs out of persistent memory to store resident credentials, but keeps on working for server-type credentials which don’t require persistent memory.
Persistent memory is now only ever allocated once for any credential if and only if it is required (i.e. to store a resident credential), all other (server-type / non-resident) credentials are handled completely in RAM. RAM is statically allocated, which means the applet never uses more than the ~2kB of RAM it initially allocates at installation. Memory and RAM usage is subject to future optimization.
Please report any issues you find, and feel free to test! (You have to re-install the applet via Fidesmo, which will delete your keys). This update is a small once and probably won’t add anything to your usage if you already use the FIDO2 applet, so feel free to skip it. This update is really just something to comply with the spec and get closer to certification.
The CTAP-Bridge (GitHub - StarGate01/CTAP-bridge: FIDO2 PC/SC CTAPHID Bridge) and the FIDO2 docs (https://github.com/DangerousThings/flexsecure-applets/blob/master/docs/applets/6-fido2.md) have also received small updates.
1 Like