May 2021 – maweeras.page

Here is a tip for identifying what your FIDO2 key’s capabilities are. This is useful when you don’t have access to docs from the vendor or just want to be certain of the key capabilities.

The below process is written for those using Windows 10.

1. Open the settings app
2. Click “Accounts”—> “Sign-in Options” –> “Security Key” and then click “Manage”
3. Insert your security key if you haven’t already done so now. Then tap your key.
4. Now click close.
5. Open the Event Viewer and navigate to “Application and Services” –> “Microsoft” –> “Windows” –> “WebAuthn” –> “operational”
6. Filter for event “2102” to get CTAP responses.
7. Use “Find” to locate the most recent “GetInfo” CTAP command response. You should have a response like so.
8. Copy the entire hexadecimal response value to your clipboard.
9. Open your preferred web browser and navigate to http://cbor.me
10. Paste the copied response on the right in the “Bytes” section. Select “emb cbor” for embedded cbor and click the “left arrow” to decode into CBOR diagnostic notation.
11. You should see a response like so.
12. I’ve pasted a prettified version of the CBOR diagnostic notation the left below.

[{“deviceInfo”:
{“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_096e&pid_0866&mi_00#7&7cce53e&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “FS”,
“product”: “BioPassFIDO2”,
“pinStatus”: 0,
“pinRetries”: 8},

“status”: 0,
“response”: << 0,
{1: [“FIDO_2_0”, “FIDO_2_1_PRE”],
2: [“credProtect”, “hmac-secret”],
3: h’12DED7454BED47D4ABAAE713F51D6393′,
4: {“rk”: true, “up”: true, “uv”: false, “plat”: false, “clientPin”: false, “credentialMgmtPreview”: true, “userVerificationMgmtPreview”: false},
5: 2048,
6: [1],
7: 10,
8: 96,
9: [“usb”],
10: [{“alg”: -7, “type”: “public-key”}]} >>}]

The spec documents at https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo help us understand the response for pure CTAP 2.0 based keys. But as this is a key supporting CTAP 2.1 preview features, Client to Authenticator Protocol (CTAP) (fidoalliance.org) provides more details.

The device info section indicates the vendor and model of my key. In my case this is a Feitian BioPass K43 which simply identifies itself as “BioPassFIDO2” . We also see it reveals pin status for the key. We have 8 retries remaining before lockout.

The response’s 1st section identifies the CTAP protocols supported. This key supports both 2.0 and 2.1 CTAP preview features.

The 2nd section of the response identifies the extensions supported. This key supports both credprotect and the hmac-secret extensions.

The 3rd section identifies the AAGUID of the key. We can convert it to the commonly recognised format with hyphens like so.

PS C:\Users\maweeras> [guid]”12DED7454BED47D4ABAAE713F51D6393″

Guid
—-
12ded745-4bed-47d4-abaa-e713f51d6393

PS C:\Users\maweeras>

The 4th section identifies the supported options. This map reveals

rk (resident keys) on the device are possible.
up (user presence) can be tested .
uv (user verification)is false indicating it has built-in biometric capabilities to verify user but is unconfigured currently.
plat (platform) is false as this is a roaming authenticator as opposed to a Windows Hello or similar key tied to the client.
clientPin is false as a PIN has not been set yet (although key is capable of configuring one).

The 5th is the maximum message size.

The 6th is supported pin protocol versions.

The 7th is maximum number of supported credentials in credentialid.

The 8th maximum credential id length.

The 9th is the supported transports for this key. This key supports usb only.

The 10th lists the supported algorithms for credential generation. As per https://www.iana.org/assignments/cose/cose.xhtml#algorithms “-7” is ECDSA w/ SHA-256.

All sections aren’t mandatory. Some keys may not output as much detail.

Here are some prettified versions of some of the other keys I have.

Feitian K33

[{“deviceInfo”: {“providerType”: “Hid”
“providerName”: “MicrosoftCtapHidProvider”
“devicePath”: “\\\\?\\hid#vid_096e&pid_0867&mi_00#7&3aa32f22&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”
“manufacturer”: “FS”
“product”: “BioPassFIDO2”
“pinStatus”: 0
“pinRetries”: 8}
“status”: 0, “response”: << 0
{1: [“FIDO_2_0”, “FIDO_2_1_PRE”]
2: [“credProtect”, “hmac-secret”]
3: h’12DED7454BED47D4ABAAE713F51D6393′
4: {“rk”: true, “up”: true, “uv”: true, “plat”: false, “clientPin”: true, “credentialMgmtPreview”: true, “userVerificationMgmtPreview”: true}
5: 2048
6: [1]
7: 10
8: 96
9: [“usb”]
10: [{“alg”: -7, “type”: “public-key”}]} >>}]

Feitian K25

[{“deviceInfo”: {“providerType”: “Hid”
“providerName”: “MicrosoftCtapHidProvider”
“devicePath”: “\\\\?\\hid#vid_096e&pid_085a#6&1c3b446a&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”
“manufacturer”: “FS”
“product”: “ePass FIDO”}
“status”: 0, “response”: << 0
{1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1_PRE”]
2: [“hmac-secret”, “credProtect”]
3: h’310B2830BD4A4DA5832E9A0DFC90ABF2′
4: {“rk”: true, “up”: true, “plat”: false, “clientPin”: false, “credentialMgmtPreview”: true}
5: 1024
6: [1]
7: 6
8: 96} >>}]

Feitian A4B

[{“deviceInfo”: {“providerType”: “Hid”
“providerName”: “MicrosoftCtapHidProvider”
“devicePath”: “\\\\?\\hid#vid_096e&pid_0854&mi_01#7&2fcc7723&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”
“manufacturer”: “FT”
“product”: “FIDO”
“pinStatus”: 0
“pinRetries”: 8}
“status”: 0, “response”: << 0
{1: [“U2F_V2”, “FIDO_2_0”]
2: [“credProtect”, “hmac-secret”]
3: h’833B721AFF5F4D00BB2EBDDA3EC01E29′
4: {“rk”: true, “up”: true, “uv”: false, “plat”: false, “clientPin”: true}
5: 2048
6: [1]
7: 10
8: 96
9: [“usb”]
10: [{“alg”: -7, “type”: “public-key”}]} >>}]

Feitian K26

[{“deviceInfo”: {“providerType”: “Hid”
“providerName”: “MicrosoftCtapHidProvider”
“devicePath”: “\\\\?\\hid#vid_096e&pid_085d&mi_00#7&3a9eb008&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”
“manufacturer”: “FS”
“product”: “BioPassFIDO2”
“pinStatus”: 0
“pinRetries”: 8}
“status”: 0, “response”: << 0
{1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1_PRE”]
2: [“credProtect”, “hmac-secret”]
3: h’77010BD7212A4FC9B236D2CA5E9D4084′
4: {“rk”: true, “up”: true, “uv”: true, “plat”: false, “clientPin”: true, “credentialMgmtPreview”: true, “userVerificationMgmtPreview”: true}
5: 2048
6: [1]
7: 10
8: 96
9: [“usb”]
10: [{“alg”: -7, “type”: “public-key”}]} >>}]

Feitian K27

[{“deviceInfo”: {“providerType”: “Hid”
“providerName”: “MicrosoftCtapHidProvider”
“devicePath”: “\\\\?\\hid#vid_096e&pid_085d&mi_00#7&7876465&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”
“manufacturer”: “FS”
“product”: “BioPassFIDO2”
“pinStatus”: 0
“pinRetries”: 8}
“status”: 0, “response”: << 0
{1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1_PRE”]
2: [“credProtect”, “hmac-secret”]
3: h’77010BD7212A4FC9B236D2CA5E9D4084′
4: {“rk”: true, “up”: true, “uv”: true, “plat”: false, “clientPin”: true, “credentialMgmtPreview”: true, “userVerificationMgmtPreview”: true}
5: 2048
6: [1]
7: 10
8: 96
9: [“usb”]
10: [{“alg”: -7, “type”: “public-key”}]} >>}]

Feitian iePass FIDO

[{“deviceInfo”: {“providerType”: “Hid”
“providerName”: “MicrosoftCtapHidProvider”
“devicePath”: “\\\\?\\hid#vid_096e&pid_0853&mi_02#7&32d67d08&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”
“manufacturer”: “FS”
“product”: “FIDO”}
“status”: 0, “response”: << 0
{1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1_PRE”]
2: [“credProtect”, “hmac-secret”]
3: h’3E22415D7FDF4EA48A0CDD60C4249B9D’
4: {“rk”: true, “up”: true, “plat”: false, “clientPin”: false, “credentialMgmtPreview”: true}
5: 1024
6: [1]
7: 6
8: 96
9: [“usb”]
10: [{“alg”: -7, “type”: “public-key”}]} >>}]

HyperFido Mini

[{“deviceInfo”:
{“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_2ccf&pid_0854&mi_01#7&188603c6&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “HS”,
“product”: “FIDO”,
“pinStatus”: 0,
“pinRetries”: 8},

“status”: 0,
“response”: << 0,
{1: [“U2F_V2”, “FIDO_2_0”],
2: [“hmac-secret”],
3: h’9F77E279A6E24D58B70031E5943C6A98′,
4: {“rk”: true, “up”: true, “uv”: false, “plat”: false, “clientPin”: false},
5: 2048,
6: [1]} >>}]

YubiKey 5 NFC

“status”: 0,
“response”: << 0,
{1: [“U2F_V2”, “FIDO_2_0”],
2: [“hmac-secret”],
3: h’FA2B99DC9E3942578F924A30D23C4118′,
4: {“rk”: true, “up”: true, “plat”: false, “clientPin”: true},
5: 1200,
6: [1]} >>}]

YubiKey 5 NFC FIPS

[{“deviceInfo”: {“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_1050&pid_0407&mi_01#7&233ab236&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “Yubico”,
“product”: “YubiKey OTP+FIDO+CCID”},
“status”: 0, “response”: << 0,
{1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1_PRE”],
2: [“credProtect”, “hmac-secret”],
3: h’C1F9A0BC1DD2404AB27F8E29047A43FD’,
4: {“rk”: true, “up”: true, “plat”: false, “clientPin”: false, “credentialMgmtPreview”: true},
5: 1200,
6: [2, 1],
7: 8,
8: 128,
9: [“nfc”, “usb”],
10: [{“alg”: -7, “type”: “public-key”}, {“alg”: -8, “type”: “public-key”}],
13: 6,
14: 328706,
19: {“FIPS-CMVP-2”: 2, “FIPS-CMVP-2-PHY”: 3}} >>}]

TrustKey G320H

[{“deviceInfo”: {“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_311f&pid_4a2a&mi_00#7&3192f11f&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “TrustKey”,
“product”: “TrustKey G320H”,
“pinStatus”: 0,
“pinRetries”: 8},
“status”: 0,
“response”: << 0,

{1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1_PRE”],
2: [“credProtect”, “hmac-secret”],
3: h’87DBC5A14C944DC88A4797D800FD1F3C’,
4: {“rk”: true, “up”: true, “uv”: false, “plat”: false, “clientPin”: false, “credentialMgmtPreview”: true, “userVerificationMgmtPreview”: false},
5: 2048,
6: [1],
7: 6,
8: 192,
9: [“usb”]} >>}]

GoTrust Idem Key

[{“deviceInfo”: {“providerType”: “Hid”
“providerName”: “MicrosoftCtapHidProvider”
“devicePath”: “\\\\?\\hid#vid_32a3&pid_3201#6&29b4518a&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”
“manufacturer”: “GoTrust”
“product”: “Idem Key”
“pinStatus”: 0
“pinRetries”: 8}
“status”: 0
“response”: << 0,

{1: [“U2F_V2”, “FIDO_2_0”]
2: [“hmac-secret”]
3: h’3B1ADB990DFE46FD90B87F7614A4DE2A’
4: {“rk”: true, “up”: true, “plat”: false, “clientPin”: true}
5: 1024
6: [1]} >>}]

Solo USB-A (after firmware update)

[{“deviceInfo”:
{“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_0483&pid_a2ca#6&50c1f19&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “SoloKeys”,
“product”: “Solo 4.1.2”,
“pinStatus”: 0,
“pinRetries”: 8},

“status”: 0,
“response”: << 0,
{1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1_PRE”],
2: [“credProtect”, “hmac-secret”],
3: h’8976631BD4A0427F57730EC71C9E0279′,
4: {“rk”: true, “up”: true, “plat”: false, “credMgmt”: true, “clientPin”: false},
5: 1200,
6: [1],
7: 20,
8: 128} >>}]

Authentrend ATKey.Pro

[{
“deviceInfo”: {
“maxMsgSize”: 0,
“maxSerializedLargeBlobArray”: 0,
“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_31bb&pid_0622&mi_00#7&2219d15&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “AuthenTrend Technology Inc.”,
“product”: “ATKey.Pro-2200003E”,
“pinStatus”: 0,
“pinRetries”: 8,
“uvStatus”: 0,
“uvRetries”: 15
},
“status”: 0,
“response”: << 0,
{
1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1”, “FIDO_2_1_PRE”],
2: [“credBlob”, “credProtect”, “hmac-secret”, “largeBlobKey”, “minPinLength”],
3: h ‘E416201BAFEB41CAA03D2281C28322AA’,
4: {
“rk”: true,
“up”: true,
“uv”: true,
“plat”: false,
“uvAcfg”: true,
“alwaysUv”: true,
“credMgmt”: true,
“authnrCfg”: true,
“bioEnroll”: true,
“clientPin”: true,
“largeBlobs”: true,
“uvBioEnroll”: true,
“pinUvAuthToken”: true,
“setMinPINLength”: true,
“makeCredUvNotRqd”: false,
“credentialMgmtPreview”: true,
“userVerificationMgmtPreview”: true,
“noMcGaPermissionsWithClientPin”: true
},
5: 2048,
6: [1, 2],
7: 20,
8: 64,
9: [“usb”],
10: [{
“alg”: -7,
“type”: “public-key”
}, {
“alg”: -8,
“type”: “public-key”
}],
11: 1024,
12: false,
13: 4,
14: 20001,
15: 256,
16: 10,
18: 2,
21: [4222588906093956714, 3137615053190153251, 7452615122542182187, 8083404361767209739]
} >>
}]

Hope this helps someone out there Smile

maweeras.page

I'm still learning.

Month: May 2021

Identifying FIDO2 key capabilities