Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Avatar for Username

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Ce sujet de discussion a été archivé. Veuillez poser une nouvelle question si vous avez besoin d’aide.

What are valid responses for the u2f version MSG? (FIDO2, CTAP2)

  • 2 réponses
  • 1 a ce problème
  • 5 vues
  • Dernière réponse par david735

david735
david735
more options

Hi everyone,

[when using CTAPHID] newer versions of Firefox seem to issue a u2f version request after INIT if you choose the non-passkey login method (e.g. on Github). I wanted to ask what Firefox expects as response if I want to tell it that I don't support u2f.

The CTAP2 spec states that "The U2F_REGISTER and U2F_AUTHENTICATE commands MUST immediately fail and return SW_COMMAND_NOT_ALLOWED" if I've disabled u2f but I can't find anything about the VERSION command.

If I return "U2F_V2\x90\x00" (without quotation marks) atleast I get a response. Just returning SW_COMMAND_NOT_ALLOWED (which should be "\x69\x86") doesn't seem to work (Firefox doesn't issue any further requests). I've also tried something like "FIDO_2_0\x90\x00" without success.

Can somebody tell me what Firefox expects in that case or can give me link to the related source code?

Best regards david

Hi everyone, [when using CTAPHID] newer versions of Firefox seem to issue a u2f version request after INIT if you choose the non-passkey login method (e.g. on Github). I wanted to ask what Firefox expects as response if I want to tell it that I don't support u2f. The CTAP2 spec states that "The U2F_REGISTER and U2F_AUTHENTICATE commands MUST immediately fail and return SW_COMMAND_NOT_ALLOWED" if I've disabled u2f but I can't find anything about the VERSION command. If I return "U2F_V2\x90\x00" (without quotation marks) atleast I get a response. Just returning SW_COMMAND_NOT_ALLOWED (which should be "\x69\x86") doesn't seem to work (Firefox doesn't issue any further requests). I've also tried something like "FIDO_2_0\x90\x00" without success. Can somebody tell me what Firefox expects in that case or can give me link to the related source code? Best regards david

Toutes les réponses (2)

jimmy.wick90
jimmy.wick90
more options

In the context of FIDO2 and CTAP2 (Client-to-Authenticator Protocol 2), the U2F version message (U2F_VERSION) is part of the communication protocol used between a FIDO2 client (like a browser) and a FIDO2 authenticator (like a security key). It's used to negotiate and identify the version of the protocol that both the client and authenticator support.

The U2F version message typically includes a list of valid versions that the authenticator supports. As of my last knowledge update in September 2021, some of the valid U2F versions that may appear in the U2F version message are:

U2F_V2: This is the original U2F (Universal 2nd Factor) version, and it corresponds to the initial specification for hardware-based two-factor authentication. This version uses a challenge-response mechanism to authenticate the user.

CTAP2/U2F_V2: CTAP2 (Client-to-Authenticator Protocol 2) is the successor to U2F and is used in FIDO2 authentication. CTAP2 is a more advanced protocol that supports various types of authenticators, including biometric and passwordless methods. U2F_V2 in the U2F version message typically indicates compatibility with CTAP2 and FIDO2.

david735
david735 Auteur de la question
more options

Thanks for the reply,

I'll try that out later.

Edit: "CTAP2\x90\x00", "CTAP/U2F_V2\x90\x00", "FIDO2\x90\x00" all do not seem to work. The only response that seems to "satisfy" Firefox is "U2F_v2\x90\x00".

Edit 2: So it seems I misdiagnosed the problem a little bit. I turned my "test credential" into a "PassKey" prior. Discoverable credentials always have to return at least the user id in a getAssertion response (even if you use it as second factor), but that didn't happen.

I guess that somehow the browser went into something like a "fallback mode" because of the malformed response and issued a u2f command.

Doesn't really answer the initial question, so I'll keep it open. I'm still interested if I can just always return SW_COMMAND_NOT_ALLOWED (or something similar).

Modifié le par david735