Yubico Forum ...visit our web-store at 2014-11-18T08:22:09+01:00 https://forum.yubico.com/feed.php?f=33&t=1608 2014-11-18T08:22:09+01:00 2014-11-18T08:22:09+01:00 https://forum.yubico.com/viewtopic.php?t=1608&p=6247#p6247 <![CDATA[Re: Q:- U2F, is there validation the user pressed the button]]> https://developers.yubico.com/python-u2flib-server/

touch is "signed" by the device.

Statistics: Posted by Tom — Tue Nov 18, 2014 8:22 am

]]> 2014-11-17T22:19:01+01:00 2014-11-17T22:19:01+01:00 https://forum.yubico.com/viewtopic.php?t=1608&p=6246#p6246 <![CDATA[Q:- U2F, is there validation the user pressed the button?]]> demo site, there's a 'touch' argument. It's marked as 'true'.

My question is:- Is that 'touch' value signed by the u2f device? Or is that just the browser telling the the site that it requested a touch? I ask because, obviously, if malware is on your machine, the site could request a touch, but the malware could easily swap it out before it reaches the key and mark it as not-touch, then, on the way back to the site, swap it back round to being 'touched' again.

The reason why I don't think it is is because it's under the "Authentication parameters", not "Response data".

Statistics: Posted by Automatic — Mon Nov 17, 2014 10:19 pm

]]>