Introduction
Following the RSA conference at the end of April, the WebAuthn and FIDO2 community has been abuzz with excitement.
There have been announcements of Firefox supporting WebAuthn, as well as the article related to Google #IO 2018 which introduced WebAuthn for Chrome. Also, as mentioned in a recent article, Microsoft Windows 10 announced Azure AD login using FIDO2-enabled Security Key.
Security Key by Yubico
The Security Key by Yubico (Security Key) supports not only FIDO U2F but also FIDO 2.0 (CTAP2).
CTAP2 is a communication protocol specification between Client (e.g., browser) and Authenticator (e.g., Security Key) established by the FIDO Alliance, and has been extended from CTAP1 of FIDO U2F to communicate in binary CBOR format, which allows PIN and Biometrics options to be inserted.
In the past few days, there have been numerous releases of WebAuthn related news and sample programs, few of which will be discussed in this article.
Google Chrome Beta
The biggest update is that Google Chrome now supports CTAP2 (development version).
Chrome Beta version 67 or higher (or Dev, Canary also worked)
Chrome Beta version can be downloaded from
CTAP2 can be enabled by starting Chrome with the option --enable-features=WebAuthenticationCtap2 to enable CTAP2.
Once the Chrome Beta is successfully launched, return to this page and press F12 to type the following into the console.
Create credentials for the RP (app) at www.yubion.com and the user with id "abcdefghijklmnopqrstuvwxyz123456".
When the Security Key by Yubico (hereafter referred to as "Security Key") is inserted into the PC, the user will be asked for permission to access it.
The response from the Security Key is displayed in the console.
WebAuthn.org
A trial server is available at webauthn.org, which requires a username and registration upon accessing. In this example, it was accessed through Chrome Beta with the Security Key plugged in.
The user will be asked to access the Security Key, press Allow, and touch the Security Key for UserPresense.
The key registration is complete.
Follow the same procedure to verify the login process.
In webauthn.org, detailed communication data can be displayed by opening ADVANCED.
A closer look reveals that the AAGUID, which was empty at the time of U2F, has a value.
Here, while CTAP2 is working as the AAGUID is present, the PIN option has not yet appeared to have been implemented.
This raises the question of whether, if clientPin: "true" in getInfo, the request sent to the device must also have a pin.
CTAP2 uses Diffie-Hellman Key Exchange using SHA256 and ECDH for encryption and transmission, as explained in the section on pinToken.
Yubico python-fido2
CTAP2 library in python from Yubico, the distributor of Security Key.
On running example/get_info.py, the following will be seen:
The AAGUID matches the example in Chrome.
It is recommended to take a closer look at this library to understand CTAP2, PIN settings, and Authentication using PINs.
Conclusion
Although CTAP2 implementations are still emerging, it is expected to be available on many platforms and browsers in the future.
Please check back here for more information and updates on the latest authentication technologies, such as FIDO.