What are valid responses for the u2f version MSG? (FIDO2, CTAP2)
Hi everyone,
[when using CTAPHID] newer versions of Firefox seem to issue a u2f version request after INIT if you choose the non-passkey login method (e.g. on Github). I wanted to ask what Firefox expects as response if I want to tell it that I don't support u2f.
The CTAP2 spec states that "The U2F_REGISTER and U2F_AUTHENTICATE commands MUST immediately fail and return SW_COMMAND_NOT_ALLOWED" if I've disabled u2f but I can't find anything about the VERSION command.
If I return "U2F_V2\x90\x00" (without quotation marks) atleast I get a response. Just returning SW_COMMAND_NOT_ALLOWED (which should be "\x69\x86") doesn't seem to work (Firefox doesn't issue any further requests). I've also tried something like "FIDO_2_0\x90\x00" without success.
Can somebody tell me what Firefox expects in that case or can give me link to the related source code?
Best regards david
All Replies (2)
In the context of FIDO2 and CTAP2 (Client-to-Authenticator Protocol 2), the U2F version message (U2F_VERSION) is part of the communication protocol used between a FIDO2 client (like a browser) and a FIDO2 authenticator (like a security key). It's used to negotiate and identify the version of the protocol that both the client and authenticator support.
The U2F version message typically includes a list of valid versions that the authenticator supports. As of my last knowledge update in September 2021, some of the valid U2F versions that may appear in the U2F version message are:
U2F_V2: This is the original U2F (Universal 2nd Factor) version, and it corresponds to the initial specification for hardware-based two-factor authentication. This version uses a challenge-response mechanism to authenticate the user.
CTAP2/U2F_V2: CTAP2 (Client-to-Authenticator Protocol 2) is the successor to U2F and is used in FIDO2 authentication. CTAP2 is a more advanced protocol that supports various types of authenticators, including biometric and passwordless methods. U2F_V2 in the U2F version message typically indicates compatibility with CTAP2 and FIDO2.
Thanks for the reply,
I'll try that out later.
Edit: "CTAP2\x90\x00", "CTAP/U2F_V2\x90\x00", "FIDO2\x90\x00" all do not seem to work. The only response that seems to "satisfy" Firefox is "U2F_v2\x90\x00".
Edit 2: So it seems I misdiagnosed the problem a little bit. I turned my "test credential" into a "PassKey" prior. Discoverable credentials always have to return at least the user id in a getAssertion response (even if you use it as second factor), but that didn't happen.
I guess that somehow the browser went into something like a "fallback mode" because of the malformed response and issued a u2f command.
Doesn't really answer the initial question, so I'll keep it open. I'm still interested if I can just always return SW_COMMAND_NOT_ALLOWED (or something similar).
Modified