Comments (4)
jmichelp
commented on July 28, 2024
The FIDO HID page is locked down by operating systems for security reasons. The fact that you can't connect to a security key using WebUSB is working as intended.
from opensk.
kaczmarczyck
commented on July 28, 2024
What do you intend to achieve through WebUSB? We have a --vendor-hid flag on develop for this purpose, and it allows you to run non-FIDO commands through WebUSB.
from opensk.
trustkeysolutions
commented on July 28, 2024
My goal for utilizing WebUSB is to facilitate seamless communication between a web application and the user's FIDO device. By leveraging WebUSB, I was trying to see if we can improve user experience with a more straightforward device setup and management process via the browser instead of a desktop app.
Thanks for the info on --vendor-hid flag. This flag indeed allows running non-FIDO commands through WebUSB, which could be useful for our application. However, my current focus is primarily on implementing FIDO-related functionality, but sounds like this is a dead-end.
That said, we will keep the --vendor-hid flag in mind for future development stages, especially when expanding our application to support non-FIDO features or when working with vendor-specific commands. Thanks, again.
from opensk.
kaczmarczyck
commented on July 28, 2024
Warning to all future users that come here: The following advice is dangerous if done wrong, please read to the end.
If you don't mind patching the OpenSK logic (and use the develop branch that is currently worked on), it's not hard to allow FIDO commands over vendor HID. The switch that is responsible is here:
OpenSK/libraries/opensk/src/ctap/mod.rs
Line 603 in 645c1ba
Remove the match over channel, always call process_fido_command and OpenSK allows FIDO calls over WebUSB.
There is a reason why we don't allow this, though: Anyone with WebUSB access can then freely send CTAP requests to your device. That includes silent authentication, which means any website could impersonate the user cross origin. I strongly suggest you don't do that, but instead have an authenticated vendor command. FIDO's security model relies on the browser being trustworthy, and therefore opening a hole to circumvent the browser is a bad idea.
Doing some management over the vendor HID channel should be fine though. For example, we send signed upgrades through that channel. The signature guarantees that we can't be impersonated.
from opensk.
Related Issues (20)
- GetAssertionOptionUvTrueTest test fails HOT 3
- pip install --user is unnecessary HOT 2
- Setup instructions should specify nrfutil version HOT 8
- versions in develop should include FIDO_2_1 HOT 1
- "configuring device" step needs a confirmation prompt to replug device on nrf52840_dongle_dfu HOT 5
- AuthenticatorConfigParameters swaps pinUvAuthProtocol and pinUvAuthParam field IDs HOT 1
- error: failed to get `arrayref` as a dependency of package `ctap2 v1.0.0 (/home/USER/OpenSK)` HOT 6
- How to change pin in Makerdiary nRF52840-MDK USB dongle HOT 2
- Improve Tock patches
- Move storage syscalls
- Edit the readme to link to the Quantum paper and point to the implementation file.
- Setup script can't install pip packages to the user's environment on Arch Linux HOT 2
- nordic dfu in develop fails to configure HOT 4
- Key not supported on ios for Apple Id 2fa HOT 36
- wrong board type in flashing command in install.md HOT 1
- Suggested environment to be able to build/compile HOT 10
- nrf52840_dongle: deploy.py succeeds programming but testing board not recognised by testing webpages. HOT 12
- How to delete an account you no longer use? HOT 2
- Can't enable JTAG lockdown HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensk.