Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 10 version 1903 #33

Open
hregis opened this issue Aug 29, 2019 · 11 comments
Open

Windows 10 version 1903 #33

hregis opened this issue Aug 29, 2019 · 11 comments

Comments

@hregis
Copy link

hregis commented Aug 29, 2019
edited
Loading

Hello

The library works without problems in Mac OS X with Firefox, Chrome, Opera and Safari. (all last versions)

On Windows 10 version 1903, it works well under Chrome, but against Firefox and Edge, I have this error message when I want to register a key (yubikey and keydo)

"cannot decode FIDO format responses, sorry"

on the other hand if I save the keys with Chrome, I can authenticate without problem with Firefox and Edge.

Yet it worked well with Firefox before the 1903 update! and Chrome too ... Edge never worked as a key record.

Thank you for your work

(i use the "master" branch with the last commit)
@davidearl
Copy link
Owner

Thanks for the feedback about MacOS. Do you have a fingerprint reader on your Mac, and did that work?

Re 1903, I find that in all browsers, Windows Hello doesn't currently offer me the option of using a Yubico key even though I have registered it. I don't understand why at the moment.

Before 1903, I believe the key was being handled by the browser directly rather than Windows Hello.

@hregis
Copy link
Author

hregis commented Aug 29, 2019

No, I do not have a fingerprint reader on the Mac, but I will buy some for testing ...
on the other hand it works well with fingerprints with Firefox and Chrome on an Android phone.

davidearl added a commit that referenced this issue Aug 29, 2019
@davidearl
allow response->attestationObject->fmt = 'packed' through (Firefox ap…
c23aa9d 
…pears to return this on registration of a Yubico key through Windows Hello when authenticatorSelection->authenticatorAttachment->cross-platform is turned on. Also be more relaxed about publickkey->userIdentification ('discouraged' rather than 'preferred'). See #33
@davidearl
Copy link
Owner

Thanks.

If you were testing Fireforx with Windows Hello and Key through webauth.savesnine.info could you have another go now?

I was able to register my Yubico key if I turned on the usually commented out 'cross-platform' line in prepareChallengeForRegistration, and discovered it was returning a different value for fmt than before 1903. Allowing this lets it proceed, so I am hopeful it will in your case too where it doesn't seem to need cross-platform. (I am assuming that cross-platform allows you to use the key on other computers by identifying the key directly, rather than storing the identity as Windows Hello, which only works on one computer but with any of its enabled identity methods).

If you were using the code directly in your own test, I've updated the master with this same change.

@davidearl
Copy link
Owner

See also #34 - I made cross-platform an option

@hregis
Copy link
Author

hregis commented Aug 30, 2019

Hello @davidearl

I still have the same problems with the latest changes!
on the other hand I put this in comment and everything works well everywhere under Windows!

why the "fmt" can not be "fido-u2f"?
yet it works by having this value of "fmt"!

/*if ($ao->fmt == 'fido-u2f') {
            $this->oops("cannot decode FIDO format responses, sorry");
  } elseif ($ao->fmt != 'none' && $ao->fmt != 'packed') {
            $this->oops('cannot decode key response (4)');
  }*/

@hregis
Copy link
Author

hregis commented Aug 30, 2019

In fact I do not have a Windows 10 on a physical station, it is a virtual instance with Virtualbox, and Virtualbox crashes as soon as I use the keys! I should have a computer with Windows 10 to be sure! (I hate Windows !!!!!!) ;-)

@davidearl
Copy link
Owner

The code is essentially a translation of one of the original examples, which was in JavaScript. That example specifically excluded fido-utf2 , which is the precursor to webauthn, which presumably your key us. But if it works with that, there doesn’t seem any good reason to exclude it.

@hregis
Copy link
Author

hregis commented Aug 30, 2019

I am not sure that the option "discouraged" is secure !!
With your latest changes, Windows Hello saves the key, but as soon as you want to save the key in another application, it saves it without asking!
more when I want to use your library, the browser no longer asks for the key, it takes direct Windows Hello!

$result->authenticatorSelection->userVerification = 'discouraged';

@hregis
Copy link
Author

hregis commented Aug 30, 2019

you see this project ? (branch webauthn)

https://github.com/Firehed/u2f-php/tree/webauthn

@PHPGangsta
Copy link
Contributor

I have the same problem. Login on Windows 1903 works, but registration of a new key does not work. In the past Firefox was showing a small popup, telling the user to insert the key and press the button. Now it's a Microsoft popup ( Microsoft Hello?), and now it does not work anymore.

It's the
$ao->fmt == 'fido-u2f'
check that fails with "cannot decode FIDO format responses, sorry"

If I comment the if-statement (and the elseif) like @hregis wrote, it works fine.

@benjamindoe
Copy link
Contributor

benjamindoe commented Sep 3, 2019
edited
Loading

You won't see a popup from Firefox anymore. It's an update of 1903 that all goes through Windows Security. If you try it out here you'll get the same results
https://webauthn.io/

Also, see #27 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hregis @PHPGangsta @davidearl @benjamindoe