| Yubico Forum https://forum.yubico.com/ |
|
| Q:- U2F, is there validation the user pressed the button? https://forum.yubico.com/viewtopic.php?f=33&t=1608 |
Page 1 of 1 |
| Author: | Automatic [ Mon Nov 17, 2014 10:19 pm ] |
| Post subject: | Q:- U2F, is there validation the user pressed the button? |
I just skimmed through the the fido-u2f specification searching for `user verification`, however, I couldn't find what I was after. On your demo site, there's a 'touch' argument. It's marked as 'true'. My question is:- Is that 'touch' value signed by the u2f device? Or is that just the browser telling the the site that it requested a touch? I ask because, obviously, if malware is on your machine, the site could request a touch, but the malware could easily swap it out before it reaches the key and mark it as not-touch, then, on the way back to the site, swap it back round to being 'touched' again. The reason why I don't think it is is because it's under the "Authentication parameters", not "Response data". |
|
| Author: | Tom [ Tue Nov 18, 2014 8:22 am ] |
| Post subject: | Re: Q:- U2F, is there validation the user pressed the button |
check the code: https://developers.yubico.com/python-u2flib-server/ touch is "signed" by the device. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|