U2F over NFC #1755
U2F over NFC #1755
Conversation
|
Wow, thank you! |
hedger
added
WIP
|
@devsnek looks like we need to test uploading to device to run the rest of CI? |
flipperdevices/flipperzero-firmware#1755 from @devsnek may need more testing
| memcpy(&out_buf[6], state_no_error, 2); | ||
| return 8; | ||
| } else if(in_buf[1] == U2F_CMD_APPLET_SELECTION) { | ||
| return u2f_applet_selection(in_buf, out_buf); |
There was a problem hiding this comment.
This doesn't appear to update any global state, so this makes it possible to communicate with the U2F applet without SELECT, which is explicitly disallowed by the CTAP 2.x spec (emphasis mine):
- NFC, when the applet is selected as specified.
- Authenticator SHALL NOT allow FIDO applet to be implicitly selected or enabled.
- Recommended: Authenticator SHALL NOT have default applet selected on power cycle. All CTAP commands SHALL be preceded by an explicit applet selection command as described in Applet selection section.
- Alternative: If authenticator has a FIDO applet selected for some reason at power cycle, it SHALL be in disabled mode and SHALL ONLY be enabled once it receives explicit applet selection command as described in Applet selection section.
The U2F 1.2 NFC spec also states that applet selection is required:
A FIDO client SHALL always send an applet selection command to begin interaction with a FIDO authenticator via NFC.
Some operating systems filter SELECT commands sent over smartcard interfaces in order to limit direct access to the CTAP/U2F applet; so any device which allows implicit selection would bypass this control.
The deselect command is also not implemented by this PR, but that's not part of the U2F 1.2 spec, so it may be worth waiting for proper CTAP2 support for that one.
| if(app->u2f_ready == true) { | ||
| u2f_set_event_callback(app->u2f_instance, u2f_scene_main_event_callback, app); | ||
| app->u2f_hid = u2f_hid_start(app->u2f_instance); | ||
| // app->u2f_hid = u2f_hid_start(app->u2f_instance); |
There was a problem hiding this comment.
Could both the USB and NFC interfaces be running at the same time? Or there be some way to select which one you want?
|
Hello everyone! Thanks @devsnek for PR! I will close it for now, since we are not planning to support NFC over U2F in our firmware. However, if you want to continue working on it, you can write application and submit it to https://github.com/flipperdevices/flipper-application-catalog repository. If you have any questions, feel free to contact me on Discord. |
|
Is this still the consensus on U2F over NFC, or would you be open to contributors implementing it into the U2F part of the firmware? There seems to be enough interest, which makes sense because it makes using U2F on mobile devices significantly more convenient. If not, I'd be interested in knowing the thoughts behind the decision 🙂 |
7 participants
What's new
Provides access to the U2F interface over NFC. This was originally based on #1510 but it kind of went off the rails due to the nuttiness of rafl/furi ISO-DEP support.
Verification
Head over to a site like https://webauthn.io on your phone, and try registering/logging in with NFC.
Checklist (For Reviewer)