Identifying FIDO2 key capabilities

Here is a tip for identifying what your FIDO2 key’s capabilities are. This is useful when you don’t have access to docs from the vendor or just want to be certain of the key capabilities.

The below process is written for those using Windows 10.

    1. Open the settings app
      fidogetinfo1
    2. Click “Accounts”—> “Sign-in Options” –> “Security Key” and then click “Manage”
      fidogetinfo2
    3. Insert your security key if you haven’t already done so now. Then tap your key.
      fidogetinfo3
      fidogetinfo4
    4. Now click close.
      fidogetinfo5
    5. Open the Event Viewer and navigate to “Application and Services” –> “Microsoft” –> “Windows” –> “WebAuthn” –> “operational”
    6. Filter for event “2102” to get CTAP responses.fidogetinfo6fidogetinfo7
    7. Use “Find” to locate the most recent “GetInfo” CTAP command response. You should have a response like so.fidogetinfo9
    8. Copy the entire hexadecimal response value to your clipboard.
    9. Open your preferred web browser and navigate to http://cbor.me
    10. Paste the copied response on the right in the “Bytes” section. Select “emb cbor” for embedded cbor and click the “left arrow” to decode into CBOR diagnostic notation.
      fidogetinfo11
    11. You should see a response like so.
      fidogetinfo12
    12. I’ve pasted a prettified version of the CBOR diagnostic notation the left below.

[{“deviceInfo”:
{“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_096e&pid_0866&mi_00#7&7cce53e&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “FS”,
“product”: “BioPassFIDO2”,
“pinStatus”: 0,
“pinRetries”: 8},

“status”: 0,
“response”: << 0,
{1: [“FIDO_2_0”, “FIDO_2_1_PRE”],
2: [“credProtect”, “hmac-secret”],
3: h’12DED7454BED47D4ABAAE713F51D6393′,
4: {“rk”: true, “up”: true, “uv”: false, “plat”: false, “clientPin”: false, “credentialMgmtPreview”: true, “userVerificationMgmtPreview”: false},
5: 2048,
6: [1],
7: 10,
8: 96,
9: [“usb”],
10: [{“alg”: -7, “type”: “public-key”}]} >>}]

The spec documents at https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo help us understand the response for pure CTAP 2.0 based keys. But as this is a key supporting CTAP 2.1 preview features, Client to Authenticator Protocol (CTAP) (fidoalliance.org) provides more details.

The device info section indicates the vendor and model of my key. In my case this is a Feitian BioPass K43 which simply identifies itself as “BioPassFIDO2” . We also see it reveals pin status for the key. We have 8 retries remaining before lockout.

The response’s 1st section identifies the CTAP protocols supported. This key supports both 2.0 and 2.1 CTAP preview features.

The 2nd section of the response identifies the extensions supported. This key supports both credprotect and the hmac-secret extensions.

The 3rd section identifies the AAGUID of the key. We can convert it to the commonly recognised format with hyphens like so.

PS C:\Users\maweeras> [guid]”12DED7454BED47D4ABAAE713F51D6393″

Guid
—-
12ded745-4bed-47d4-abaa-e713f51d6393

PS C:\Users\maweeras>

The 4th section identifies the supported options. This map reveals

  • rk (resident keys) on the device are possible.
  • up (user presence) can be tested .
  • uv (user verification)is false indicating it has built-in biometric capabilities to verify user but is unconfigured currently.
  • plat (platform) is false as this is a roaming authenticator as opposed to a Windows Hello or similar key tied to the client.
  • clientPin is false as a PIN has not been set yet (although key is capable of configuring one).

The 5th is the maximum message size.

The 6th is supported pin protocol versions.

The 7th is maximum number of supported credentials in credentialid.

The 8th maximum credential id length.

The 9th is the supported transports for this key. This key supports usb only.

The 10th lists the supported algorithms for credential generation. As per https://www.iana.org/assignments/cose/cose.xhtml#algorithms “-7” is ECDSA w/ SHA-256.

All sections aren’t mandatory. Some keys may not output as much detail.

Here are some prettified versions of some of the other keys I have.

HyperFido Mini

[{“deviceInfo”:
{“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_2ccf&pid_0854&mi_01#7&188603c6&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “HS”,
“product”: “FIDO”,
“pinStatus”: 0,
“pinRetries”: 8},

“status”: 0,
“response”: << 0,
{1: [“U2F_V2”, “FIDO_2_0”],
2: [“hmac-secret”],
3: h’9F77E279A6E24D58B70031E5943C6A98′,
4: {“rk”: true, “up”: true, “uv”: false, “plat”: false, “clientPin”: false},
5: 2048,
6: [1]} >>}]

YubiKey 5 NFC

[{“deviceInfo”:
{“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_1050&pid_0407&mi_01#7&233ab236&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “Yubico”,
“product”: “YubiKey OTP+FIDO+CCID”,
“pinStatus”: 0,
“pinRetries”: 8},

“status”: 0,
“response”: << 0,
{1: [“U2F_V2”, “FIDO_2_0”],
2: [“hmac-secret”],
3: h’FA2B99DC9E3942578F924A30D23C4118′,
4: {“rk”: true, “up”: true, “plat”: false, “clientPin”: true},
5: 1200,
6: [1]} >>}]

Solo USB-A (after firmware update)

[{“deviceInfo”:
{“providerType”: “Hid”,
“providerName”: “MicrosoftCtapHidProvider”,
“devicePath”: “\\\\?\\hid#vid_0483&pid_a2ca#6&50c1f19&0&0000\#{4d1e55b2-f16f-11cf-88cb-001111000030}”,
“manufacturer”: “SoloKeys”,
“product”: “Solo 4.1.2”,
“pinStatus”: 0,
“pinRetries”: 8},

“status”: 0,
“response”: << 0,
{1: [“U2F_V2”, “FIDO_2_0”, “FIDO_2_1_PRE”],
2: [“credProtect”, “hmac-secret”],
3: h’8976631BD4A0427F57730EC71C9E0279′,
4: {“rk”: true, “up”: true, “plat”: false, “credMgmt”: true, “clientPin”: false},
5: 1200,
6: [1],
7: 20,
8: 128} >>}]

Hope this helps someone out there Smile

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s