Comments (7)
Maybe you've got more info here: https://www.stackallocated.com/blog/2019/u2f-to-webauthn/#pitfalls and the following section.
Not much time to work on it this week, so let me know if you can generate a valid response that I can include in tests as a starting point.
from wax.
Existing keys remain valid but the appid extension has to be supported, which is not currently the case in Wax. Doesn't seem to be very complicated to do, but can't guarantee it isn't and I'd like to implement a framework for extension as a whole.
Is it related to an incoming U2F Chrome deprecation or something?
from wax.
I see, I though that would be the case.
Is it related to an incoming U2F Chrome deprecation or something?
Yes, I was trying to migrate existing user keys seamlessly, but I think I will probably skip that for now then.
Looking forward for the extension framework and thanks for the quick reply!
from wax.
If I understood correctly, U2F is deprecated since Chrome 95 and will be disable in the coming weeks (or months?) in Chrome 98, right?
It doesn't look like a complicated feature to implement, but I'm trying to asses the urgency and the impact.
from wax.
Yes, it will be disabled next month, not sure about the impact in the beginning of February. When using a hardware key some people receive a prompt asking if they want to allow it with the following warning (translated from original language):
"This site will not be able to use U2F API after February 2022. If this site is yours you should update it to use Web Authentication API"
When looking into this post with a timeline we get (though not sure about how accurate it is):
M98 | February 2022 | Disable the U2F API by default; but keep it available to sites on the Deprecation Trial
I'm not sure what the "Deprecation Trial" means, maybe some simple warning or maybe an extra security step/warning, e.g. when a site is using a self-signed certificate.
from wax.
Anyway, I'd need a test case for this, so if you can provide me with a authentication response using appid
that'd help a lot.
from wax.
I would, but to be honest I was not able to generate one, I just did an initial try by generating a challenge with this library (which is probably wrong and should do it with the old one), and used the key_handle from u2f for the id in the allowCredentials, but somehow it always failed.
I have to say that this was entirely exploratory and I don't understand all the details of the standard, so there might have also been some simple errors from my part, even in converting data between representations. If you have a suggestion for me to generate one I can give it a go.
I did find some references in ruby that could be useful if I were to try and actually do it myself and which could help in this situation like:
from wax.
Related Issues (20)
- Remove unused asn1ex dependency HOT 1
- Wax doesn't handle failures elegantly HOT 3
- Implement CRL check when verifying TOC metadata HOT 2
- incorrect padding crashing Wax on app start HOT 2
- What is the 0.2.0 branch for HOT 2
- Publish on hex.pm HOT 11
- Remove custom cert verification in tpm routine HOT 1
- FunctionClauseError no function clause matching in Wax.Metadata.Statement.user_verification_method/1 HOT 6
- Use Mint for HTTP requests HOT 1
- Remove Tesla client HOT 4
- "Authenticator metadata was not found" error HOT 24
- Wax CoseKey verification failing HOT 8
- (UndefinedFunctionError) function :asn1ct.compile/2 is undefined ( HOT 14
- :algs_mismatch during attestation verification for Android Safetynet HOT 10
- Incorrect :type values set for Wax.AttestationVerificationErrors HOT 3
- Check COSE key credential alg matches alg provided by metadata
- Bad Certificate Error HOT 1
- disable worker(Wax.Metadata, []) during tests HOT 7
- Allow adding custom non-MDSv2 metadata HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wax.