-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token2 T2F2-NFC-Dual does not work with PinProtocol 2 #269
Comments
That's bad, there is meant to be a unique AAGUID for each model. The MDS being outdated is also bad here because it seems the certified version was in 2019, and the device has clearly had firmware updates. |
Unfortunately working around this means we're going to have to build a "quirks mode" to not use features on certain keys. There are other strange bugs with its NFC implementation which suggest that it's not parsing some commands correctly either. I haven't yet attempted to make a reliable reproduction. I haven't attempted to contact the vendor yet. |
I've sent an email to the vendor today notifying them of the issue and included protocol traces, so will see what they say. |
Even if they update the firmware, we'll still potentially need quirks to support devices that haven't received the update. |
Vendor identified the bug in Incidentally, as this code worked on Yubikey Bio, that means those keys have a bug... |
It looks like Token2 implemented this correctly, but Yubikey did not.
I did this
Using Token2 T2F2-NFC-Dual:
key_manager
)key_manager
)authenticate
example withctap
backendRepeated above test with key connected via NFC and via USB.
I expected the following
Prompted for PIN, and can register credential successfully using first available Pin Protocol (2).
What actually happened
Prompted for PIN, got Ctap error: Ctap(Ctap2PinAuthInvalid)
Version (and git commit)
0ed816f
Operating System / Version
Win10, Linux
Any other comments
Device reports:
Interestingly the MDS reports different data (only FIDO 2.1-PRE and PinProtocol 1):
There are also other devices which appear to use the same AAGUID (Token2 T2F2-Bio).
If I modify
ctap20.rs
to only try to authenticate with PinProtocol 1, it works correctly. The key also continues to work when setting or changing a PIN in PinProtocol 2 mode.I was also able to authenticate correctly using a Yubikey Bio on PinProtocol 2, so I suspect this is a bug with the Token2 key itself.
Windows WebAuthn API appears to use PinProtocol 1 only, so can't really compare that 😞
The Token2 T2F2 which I also got to test appears to be a rebadged Feitian ePass FIDO2 (
833b721a-ff5f-4d00-bb2e-bdda3ec01e29
) which does not support PinProtocol 2 (and doesn't claim to -- so that's fine)The text was updated successfully, but these errors were encountered: