Option to require PIN for WebAuthN when User Verification is Preferred but not met #120
Comments
|
Hi @gtbuchanan Can you tell me for information the model of your Android phone and the type of security key used ? Using Samnsung Pass (Authenticator) I can register and log in regardless of the options selected. The concern may not come from Android but from Samsung in my case. With a Yubikey Security Key NFC, when I use it in NFC with the phone, there is indeed an obligation to change the settings as indicated below.
When registering the Authenticator (Samsung Pass) provides an empty AaGuid (with zeros only), and this is the source of the problem. I can also tell you that I succeeded in registering the key in NFC on my GitHub account. and of course, it doesn't work when I want to authenticate with ... For me, it's up to Samsung to do what is necessary Your proposal to add the entry of a PIN by the component when it comes to biometric validation is interesting, and we will look into it. Don't you think that adding a new pin in addition to the security key as well as the different pins of the phone (probably all different) won't be confusing for your users ? Regards redhook |
|
@redhook62 I am using a Samsung S8 with a Yubico Security Key NFC. Thank you for confirming you have the same problem.
I think NFC will always have this problem since there isn't a way for the user to enter their PIN on this security key before it's scanned. Nonetheless, even plugging the key into the phone via USB doesn't prompt for the PIN. That's one of the main reasons I think requiring a PIN in ADFS MFA in this situation could improve security while still allowing users to use NFC for convenience.
I think it's actually a problem with Google Play Services rather than Samsung but I totally agree it is not a problem with ADFS MFA.
I definitely agree with it being optional. Something like "Pin code required when unverified" under the existing "Pin code required" option. I'm mostly just trying to think of ways to use security keys with user verification "Required" without preventing users from using certain devices that don't support the full standard yet. It's been about a year since the Google Play Services bug report was submitted so it doesn't seem to be too high priority for them.
You bring up a good point and you're probably right. My other concern would be users using the same PIN as they do for their security key. However, I think it is still easier to remember multiple PINs than having to remember multiple complex passwords and still more secure than not having a PIN altogether. I should mention my main interest is in the upcoming Yubikey Bio which will require the user's fingerprint for verification directly on the key. Even though it won't have the convenience of NFC, it will have all 3 factors of authentication:
Without the PIN on Android, that drops it back down to 2. Again, not really the problem of this library but since Google Play Services is closed source it's about the best I can think of to achieve this. |
|
Hi @gtbuchanan I have good news for you ...
Basically by activating optional future options
I think there will be a new version early next week. time to build the configuration interface, and perform more comprehensive tests. Best regards redhook |
|
Done in version 3.0.2010.0 Regards |
|
@redhook62 Thanks for the new addition and the quick turnaround! Do you mind explaining how it should be configured? I have tried a couple of different scenarios but they don't seem to work as I expected. I have tried: $p = Get-MFAProvider -ProviderType Biometrics
$p.PinRequired = $false
# Have also tried just "None" and "None, AndroidKey, AndroidSafetyNet" here with the same results
$p.PinRequirements = "None, AndroidKey, AndroidSafetyNet, Fido2U2f, Packed, TPM"
Set-MFAProvider -ProviderType Biometrics $pThe above doesn't cause an MFA PIN prompt in Firefox for Windows 10 (expected) but also doesn't cause an MFA PIN prompt in Chrome for Android (unexpected). $p = Get-MFAProvider -ProviderType Biometrics
$p.PinRequired = $true
$p.PinRequirements = "None, AndroidKey, AndroidSafetyNet, Fido2U2f, Packed, TPM"
Set-MFAProvider -ProviderType Biometrics $pThis causes an MFA PIN prompt in both the aforementioned situations (undesired on Windows since it's already prompted on the Yubikey). I assume I would think that |
Please disregard this comment. I believe I misunderstood the source of the values for
|
|
Hi @gtbuchanan Indeed, the value of PinRequired must remain at False, otherwise the entry of the pin code becomes mandatory. Then for maximum security, check all options. But in your case, you must absolutely select PACKED (Yubikey Security Key in Windows Hello) and FIDO2-U2F (NFC or USB). The trigger is not made according to the type of key, but according to a bit indicating whether the user has interacted with the device. $p = Get-MFAProvider -ProviderType Biometrics
$p.PinRequired = $False
$p.PinRequirements = "None, AndroidKey, AndroidSafetyNet, Fido2U2f, Packed, TPM"
Set-MFAProvider -ProviderType Biometrics $pOr for example $p = Get-MFAProvider -ProviderType Biometrics
$p.PinRequired = $False
$p.PinRequirements = "None, Fido2U2f, Packed"
Set-MFAProvider -ProviderType Biometrics $pHowever, there is another problem, the links for the PIN entry wizard do not appear in the interface. I will quickly push a fix Regards |
|
Fix available ! Regards |
This request stems from the seemingly incomplete implementations of WebAuthN on mobile devices (Android in my case). However, it would go a long way in providing more security to the "Preferred" option for WebAuthN "User Attestation Verification Requirement" as a whole.
When authenticating with a security key on Chrome for Android while the option is set to "Preferred" or "Required", there is currently never a prompt for a PIN if the key supports it. While I think this is technically just a missing feature in Chrome for Android, it means by setting the option to "Required" I cannot authenticate with WebAuthN on Android. However, setting the option to "Preferred" reduces security in a passwordless scenario since WebAuthN implementations can choose not to require the user to enter the PIN for the security key.
My proposal is to add an option to ADFSMFA to require a PIN for biometrics only when the "User Attestation Verification Requirement" is set to "Preferred" but is not met by the authenticator. This would allow authenticators that support prompting for the PIN on the security key to do so (this is more secure than the ADFSMFA PIN since it is out-of-band) and workaround the current reduced security of mobile devices WebAuthN implementations.
The text was updated successfully, but these errors were encountered: