We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

What are valid responses for the u2f version MSG? (FIDO2, CTAP2)

  • 2 replies
  • 1 has this problem
  • 5 views
  • Last reply by david735

more options

Hi everyone,

[when using CTAPHID] newer versions of Firefox seem to issue a u2f version request after INIT if you choose the non-passkey login method (e.g. on Github). I wanted to ask what Firefox expects as response if I want to tell it that I don't support u2f.

The CTAP2 spec states that "The U2F_REGISTER and U2F_AUTHENTICATE commands MUST immediately fail and return SW_COMMAND_NOT_ALLOWED" if I've disabled u2f but I can't find anything about the VERSION command.

If I return "U2F_V2\x90\x00" (without quotation marks) atleast I get a response. Just returning SW_COMMAND_NOT_ALLOWED (which should be "\x69\x86") doesn't seem to work (Firefox doesn't issue any further requests). I've also tried something like "FIDO_2_0\x90\x00" without success.

Can somebody tell me what Firefox expects in that case or can give me link to the related source code?

Best regards david

Hi everyone, [when using CTAPHID] newer versions of Firefox seem to issue a u2f version request after INIT if you choose the non-passkey login method (e.g. on Github). I wanted to ask what Firefox expects as response if I want to tell it that I don't support u2f. The CTAP2 spec states that "The U2F_REGISTER and U2F_AUTHENTICATE commands MUST immediately fail and return SW_COMMAND_NOT_ALLOWED" if I've disabled u2f but I can't find anything about the VERSION command. If I return "U2F_V2\x90\x00" (without quotation marks) atleast I get a response. Just returning SW_COMMAND_NOT_ALLOWED (which should be "\x69\x86") doesn't seem to work (Firefox doesn't issue any further requests). I've also tried something like "FIDO_2_0\x90\x00" without success. Can somebody tell me what Firefox expects in that case or can give me link to the related source code? Best regards david

All Replies (2)

more options

In the context of FIDO2 and CTAP2 (Client-to-Authenticator Protocol 2), the U2F version message (U2F_VERSION) is part of the communication protocol used between a FIDO2 client (like a browser) and a FIDO2 authenticator (like a security key). It's used to negotiate and identify the version of the protocol that both the client and authenticator support.

The U2F version message typically includes a list of valid versions that the authenticator supports. As of my last knowledge update in September 2021, some of the valid U2F versions that may appear in the U2F version message are:

U2F_V2: This is the original U2F (Universal 2nd Factor) version, and it corresponds to the initial specification for hardware-based two-factor authentication. This version uses a challenge-response mechanism to authenticate the user.

CTAP2/U2F_V2: CTAP2 (Client-to-Authenticator Protocol 2) is the successor to U2F and is used in FIDO2 authentication. CTAP2 is a more advanced protocol that supports various types of authenticators, including biometric and passwordless methods. U2F_V2 in the U2F version message typically indicates compatibility with CTAP2 and FIDO2.

more options

Thanks for the reply,

I'll try that out later.

Edit: "CTAP2\x90\x00", "CTAP/U2F_V2\x90\x00", "FIDO2\x90\x00" all do not seem to work. The only response that seems to "satisfy" Firefox is "U2F_v2\x90\x00".

Edit 2: So it seems I misdiagnosed the problem a little bit. I turned my "test credential" into a "PassKey" prior. Discoverable credentials always have to return at least the user id in a getAssertion response (even if you use it as second factor), but that didn't happen.

I guess that somehow the browser went into something like a "fallback mode" because of the malformed response and issued a u2f command.

Doesn't really answer the initial question, so I'll keep it open. I'm still interested if I can just always return SW_COMMAND_NOT_ALLOWED (or something similar).

Modified by david735