I am trying to use the libfido2 library (the python3 version, though) and wondering how to deal with multiple devices. The problem being that if there are multiple security keys present I want to find the one that created a certain credential id I know without having to tap on each key or enter a pin to find out which one it is.
According to this blog post in CTAP1 there was a "check-only" flag that you could set in an assertion:
Browsers implement this by sending a series of assertion requests to each security key to see whether any of the credential IDs are valid for them. That’s why there’s a “check only” mode in the assertion request: it causes the security key to report whether the credential ID was recognised without requiring a touch.
Could someone please point me to how this quiet checking can be done with the latest protocol version of CTAP2 and WebAuthN?
In theory yes, but there is a lot of factors that can affect this. But shorter answer would be to send an assertion request with
up=false
,uv=false
and nopinUvAuthParam
. This would result in the device returningFIDO_ERR_NO_CREDENTIALS
when there is no credentials or info on the credential if it exists.However, there are a lot caveats here. If the device is configured as alwaysUv the device will request user verification. This also requires that either the credential is discoverable or that you have the id of the key in your request. This also requires that the key's credProtect settings are fit with requirements for this. So there is plenty of things that can make this impossible to do.
It should also be noted that WebAuthn's
discouraged
forUserVerificationRequirement
only applies to UV as the User Presence flag in WebAuthn is a constanttrue
boolean flag.I haven't used the python version of Yubico's libfido2 but have used the CLI tool from Yubico and will exemplify this with that tool.
By creating a key on a Fido 2 device with it through their description from their manpage,
man fido2-cred
, one can create a credential the following wayFollowing the man page,
man fido2-assert
, for assertion one can create an assertion for that key. This on having created the cred file from the creation of the credentials in the first code example.The above code example would require a User Presence check by the key as that is default. However changing the last line into just
Would remove the UP check and then return either credential information or
fido2-assert: fido_dev_get_assert: FIDO_ERR_NO_CREDENTIALS
in case no credentials with that ID exists.Note that I only supplied UP flag to it, as UV flag is in general defaulted as false.