danielinux
Windows OS compatibility issues?
Constructed a key on a Breadboard with a couple of switches (Reset + AuthOn15)
Here it is shown highlighed in USB devices...
Went to the Yibico Demo Page, followed on-screen prompts and this happened (every time)
Please see issues #1 and #2 ... There is an unknown issue with windows OS + edge. Any details you can share about how to fix are welcome. I'm not a windows user, so I would not know how to interpret those messages/screenshots.
it would help if you could just share a .pcap obtained via usbmon for the device, to see if windows is attempting to send any command that's not supported or properly parsed.
I'm not a windows user...
Linux is, I imagine, the obvious tests you've already performed. X64, Aarch64 or Aarch32?
Have you tried Mac? I've got an old X86 I'll try out. Might be interesting to set key up on Mac then try Auth on Win (might work depending where the fault is) If any problems then I'll verify the key works on Ubuntu (got an x64 machines running that) and possibly try the Pi5 + Pi4 as well.
I've tried Google Chrome and Firefox so far. Be worth verifying some others too. Obviously Yubico will have sone some work in this respect (I hope???)
I'll go + look into USBMon (unfamiliar with it ATM) and try to sort you out the pcap.
Solving Windows issue(s) would be fairly important for the project to be popular I guess...
Awesome! Thanks for looking into this.
I don't think the failure is arch-dependent, rather how the OS handles the device or specific protocol implementation details.
I only tested this on a few linux desktops so far, all x86_64. I've tested PAM integration and I'm using a few fidelio keys for multiple services.
USBMon appears to be Linux only but it looks like WireShark can do USB sniffing so going to give that a go.
Tried GitHub for another test - also failed (there was a possibility that the problem was the Yubico demo site - but looks unlikely now)
About to drag the Mac (2013 - x64) out to try that as well. Wonder if I can remote into a Mac (Arm) and use local key somehow (it's at least possible - won't know unless I try I guess)
Something I'd like to investigate once this works cross-platform is the possibility of using it as Auth for SSH etc. You say PAM works so connecting to my server seems do-able. It'd be great if, for example, Putty could use it for Authentication on Windows (Putty's gotta be the most widespread SSH client out there)
After I've tried the Mac I'll get to Windows (wanna try setting key up then trying on Win - reduces fault possibilities)
Have you done a YouTube on this? Should be popular....
Oh - key persists if firmware updated - but presumably flash_usb.uf2 kills everything (dumb Question)
Mac X64 worked without issues registering (I thought there was some button pressing and a flashing light involed?)
Tried Seven different browsers on Windows. All fail identically - investigating further
Righto - one pcap as requested
I kept the capture as short as possible but it's still got a lot of data. Started cap, tabbed to browser waiting to register, quickly went thru registration + failing, stopped cap
@peardox thank you for all the time you spent on this. So as I expected, it's a windows-only issue. Your capture will definitely help, I'll have a look this weekend.
Have you done a YouTube on this? Should be popular....
Making fidelio popular was not the main focus, I made this for myself because I hate phone-based OTP, and lazily promoted it within my friends and colleagues. Some of their builds are cool (big panic buttons?)
Another user (@pagong) presented the project at the makers fair in Hannover last month: https://maker-faire.de/maker/kilpikonna-crew/
Oh - key persists if firmware updated - but presumably flash_usb.uf2 kills everything (dumb Question)
The "master" key for the device is stored in a high address in flash, created on first use if none is available (0x72000). If the update does not erase the page where the key is, the key persist. If you erase the flash and upload only the firmware, that's the "factory state" and the key will be created on first use.
Check src/u2f.c for details on master key generation and storage
#define FLASH_MKEY_OFF 0x72000
Thanks again for contributing to making fidelio usable for windows users
Thanks again for contributing to making fidelio usable for windows users
It's not yet :)
I use Win11 as a daily driver so I also tested yesterday on a Win10 VM and passed the USB for Fidelio thru to the Win10 instance. Same issue there so it looks rather like all versions of Windows are bad in this way.
I've got a supply of the Waveshare Pico's I mentioned (cos they're really cheap). Having looked into the device properly it's got no LED but has a 1.14" LCD instead. While a bigger modification I do like the idea of showing device status which would be really nice on the little LCD display - could be quite useful...
Like you Phone based things annoy me too. In general I see the current 2FA deluge as an attempt by big biz / gov to pass the buck for their own ineptitude in keeping your private data secure - you got hacked - but we advised you to use 2FA.... Of course there are also genuine reasons for OTP as well but I suspect it's mainly used for legal ass-covering.
I checked your capture, we might be missing one (mandatory) U2F HID command reply.
This should be easily fixed by replying to U2FHID_PING as per specs. I'll be AFK today, let me know if you want to implement a fix yourself, otherwise I'll try to provide a patch tomorrow and find a windows machine to test
Well, on windows I get several CTAP_CMD_INIT followed by a CTAP_CMD_CBOR (which is FIDO2 I believe?)
Better see what Mac does...
Found a ref in 2.0
There are seven mandatory but it appears only two are handled
Yes, CBOR is definitely 2.0. That's something we'll implement too. Fidelio is 1.2 only and does not work with services like google, requiring fido 2.0, but I did not expect windows deprecating 1.2 completely.
Sticking to 1.2 for now was a choice to keep the code small and simple, but I might think about adding 2.0 in the future if services I use (e.g. github, local pam) stop working at some point.
Can you confirm that you are only getting 2.0 packets? Do you think it's not CTAP_PING then? I might have some time tomorrow to try to reproduce here
On Windows I set a breakpoint is parse_u2f_raw's switch
The only codes I have seen so far are 6 and 16 (CTAP_CMD_INIT + CTAP_CMD_CBOR)
As I've not registered or authenticated on Windows yet I can't say what other packets I'll get until I can get past registration
Having said that CTAP_CMD_PING is mandatory as are CTAP_CMD_CANCEL and CTAP_KEEPALIVE while CTAPHID_ERROR (0x3F) is also mandatory so may turn up (unclear about that as it's in 2.0 not 1.2 - part of handling 1.2 with 2.0). - prob renamed from 1.2 as the code is the same as 1.2's U2FHID_ERROR (0x3F)
If 1.2 is deprecated then it should still work via the 2.0 interop method I imagine so the code should work on Windows then
I agree, if there is a fallback to 1.2 we are perhaps sending an "error" reply to the CBOR command that the host cannot understand or properly parse.
https://github.com/PJK/libcbor.git ?
It's a dependancy of https://github.com/Yubico/libfido2 anyway...