2FAGuard icon indicating copy to clipboard operation
2FAGuard copied to clipboard
verified publisher icon timokoessler

Bug: Impossible to configure a FIDO2 Security Token

Open NeoXTof opened this issue 1 year ago • 5 comments

What happened?

I tried to configure multiple Yubikey as security token (2 different Yubikey 5 NFC firmware 5.1.2 and a Yubikey 5C NFC firmwqre 5.4.3) on both 2FAGuard desktop and portable but for all combination I'm having an error message. Those 3 yubikeys are already registered for FIDO2 authentication or passkey and works properly

Provide the error message / stack trace

Error: Assertion failed HmacSecret is null

What version of Windows are you using?

Windows 10 pro 64 bits 22H2

What version of the app are you using?

1.5.1.0 desktop and portable

NeoXTof avatar Oct 10 '24 11:10 NeoXTof

Thanks for reporting this bug.

The HMAC Secret Extension is the only way to encrypt data securely. After some research I found this article by yubico. Yubikey added support for this extension in firmware version 5.2. This explains why your older keys are not working as expected.

I tested the implementation using a Security Key C NFC with the firmware 5.4.3, so with the same firmware version. I will check it again with a Windows 10 device.

Do you know if you have more than 25 discoverable credentials on your key? (But according to the FIDO2 specification, it should still work)

Can you please send me the logs of the app? You will find them inside the data folder.

timokoessler avatar Oct 10 '24 16:10 timokoessler

I shall not have more than 25 fido/passkey on the 5.4.3 key, but there is no real way to check :(

Can you tell me the full path of the logs ?

NeoXTof avatar Oct 10 '24 17:10 NeoXTof

Thanks for the quick reply. If you are using the portable edition, the logs are inside the 2FAGuard-Data\logs folder. The logs of the desktop edition they are located in C:\Users\%username%\AppData\Local\2FAGuard\logs.

timokoessler avatar Oct 10 '24 17:10 timokoessler

I just tried again to configure the 5.4.3 but there is no log files for today :/ the last log file is from when I updated to 1.5.1

[edit 2024/10/11] I've tried with a fresh install, no logs in the logfolder. Is there a cli option to increase verbosity ?

NeoXTof avatar Oct 10 '24 18:10 NeoXTof

Sorry for the delay. Currently I do not have access to a Windows 10 device where I can test the login using a Yubikey. I will test it next week.

Can you check if your key works as expected (with hmac secret extension) on the following website: https://levischuck.com/blog/2023-02-prf-webauthn#heading-registration. You have to use a recent version of a Chromium based browser. After clicking on "Register", what does "Credential Extension Results" on the left side (Actual) say? If it works, it should display "enabled": true.

Edit: I didn't managed to get the HMAC Webauthn extension working in any Browser using my key, while it still works with 2FAGuard. Unfortunately, it is still a relatively new feature.

timokoessler avatar Oct 11 '24 20:10 timokoessler

Hello,

I tried the website, same result as you, could not get "enabled: true". I also tried to uninstall 2FAGuard and resintall it, same result, I can not register any yubikey (and logs are still emtpy).

My yubikeys are register in multiple website (google for, 1password, Facebook, ....)so I'm sure they are working correctly.

NeoXTof avatar Oct 14 '24 07:10 NeoXTof

Hello, I will try this on a Windows 10 device soon, maybe it uses a old version of the Win32 WebAuthn api. There is a difference between the usage of WebAuthn for logging in on a website and local encryption, because the HMAC secret extension is only used for the second one.

timokoessler avatar Oct 15 '24 06:10 timokoessler

Update: I can confirm that I get the same error when using a Windows 10 device. I will try to find the reason for that as soon as possible.

timokoessler avatar Oct 15 '24 17:10 timokoessler

Don't hesitate to send me debug version if you need my support to find the root cause

NeoXTof avatar Oct 15 '24 18:10 NeoXTof

While Windows 11 includes the latest version of the webauthn.dll (version 7), Windows 10 appears to be shipped with version 2 of the Win32 WebAuthn api. According to comments in some Microsoft source code, I believe that at least version 4 is required to use the required secret extension. I have made an enquiry to Microsoft about this, but I assume that 2FAGuard can probably only support login with external security keys under Windows 11.

timokoessler avatar Oct 16 '24 13:10 timokoessler

Update: I haven't received a reply from Microsoft to my message to the Win32 WebAuthn API support email address. The Microsoft Partner Center allows app developers to submit only non-technical support cases to Microsoft. For technical issues / questions, I am told to buy a support plan for several hundred euros. I will keep this issue open until the next release, which will include a better check if the os is supported.

timokoessler avatar Oct 26 '24 16:10 timokoessler

With the end of the support of Win 10, I guess I'll have soon to switch to Win 11. So not a big worry

NeoXTof avatar Nov 08 '24 09:11 NeoXTof

The new release includes a better error handling and checks if the OS supports all necessary features.

timokoessler avatar Dec 08 '24 10:12 timokoessler