Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:56 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: U2F Behavior Confusion
PostPosted: Fri Dec 05, 2014 12:23 am 
Offline

Joined: Tue Nov 18, 2014 9:14 pm
Posts: 95
Location: San Jose, CA
I am quite confused trying to reconcile one of the U2F claims and the actual behavior I am witnessing.

Specifically, the following claims (from fido-u2f-overview-v1.0-rd-20131008, Section 12):

  • A U2F device does not have a global identifier visible across online services or websites.
  • A U2F device does not have a global identifier within a particular online service or website.
  • A user has to activate the U2F device (i.e.,'press the button') before it will issue a key pair (for registration) or sign a challenge.
  • If a user has registered multiple U2F devices to a particular account, then during authentication all the Key Handles are sent by the origin to the intermediate page. The intermediate page call the signature javascript function with the array of Key Handles and sends the aggregated response back to the origin. Each attached activated U2F device signs for those Key Handles in the array that it recognizes. (from section 11.2 of the above-referenced overview)

Thus, it is implied that the only way for a U2F token to identify itself to a service is to actually authenticate itself by signing a challenge — the act of which requires some form of user-input before proceeding.

However, this is demonstrably not the case — at least not for Google*.

For example, let's say I have two security keys. One is associated with my Google account (Security-Key-A), and one isn't (Security-Key-B). I connect both of them to my computer and, using Chrome, try to log into my google account. When I do this, the only security key that starts blinking is the security key that is associated with my account.

More tellingly, if I remove Security-Key-A, leaving ONLY Security-Key-B connected, and then try to log in, I get the following message from the google login process: "The Security Key you're using isn't yet registered for this account."

Note that, in both cases, I have not yet pressed the button on either security key. However, somehow Google magically knew that the connected security key wasn't the one it wanted to hear from. This evidence leads me to believe that there is a capability for a website to detect/poll-for the presence of specific security keys without any action by the user or even a visible indication that such a scan has occurred.

Am I misunderstanding something?


* Note that the Yubico U2F demo does not behave in this way.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Dec 05, 2014 11:39 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Aug 06, 2014 2:40 pm
Posts: 38
Good question!

There's a control byte when authenticating that can be set to 0x07 ("check-only"). From the U2F specs:
Quote:
if the control byte is set to 0x07 by the FIDO Client, the U2F token is supposed to simply check whether the provided key handle was originally created by this token, and whether it was created for the provided application parameter. If so, the U2F token MUST respond with an authentication response message:error:test-of-user-presence-required (note that despite the name this signals a success condition). If the key handle was not created by this U2F token, or if it was created for a different application parameter, the token MUST respond with an authentication response message:error:bad-key-handle.


The reason why you're not seeing this behavior on Yubico's U2F demo site is most likely because the U2F extensions behaves differently than the built-in Chrome U2F support (which is currently limited to Google domains, but won't be soon).


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group