Re: WebAuthn and dealing with authenticator firmware updates

I understand that's a stated certification requirement. My personal 
observation is that it is also a non-enforceable FIDO "rule" that has a 
lot of gray areas. For example during certification there is no 
measurement or record of firmware version, nor is it part of the metadata 
spec, nor can an RP discover it via the protocol. Are there guidelines on 
what may actually be updated without re-certification?

For example, let's say I have a UV capable portable authenticator that 
does fingerprint for UV, requiring it be registered by the owner before 
the FIDO registration ceremony. A flaw is discovered that allows you to 
bypass the local UV fingerprint matching software with ... let's say an 
artificial finger. The vendor offers updated firmware to counter this 
flaw. Nothing in core FIDO has changed - for all practical purposes the 
authenticator still behaves the same against all conformance testing 
interfaces the same way. This is still potentially very useful information 
to an RP.

Perhaps a good corporate citizen authenticator vendor does a product 
recall, or offers a free/discounted new model (new AAGUID), however at the 
moment it's also perfectly valid for the authenticator vendor to offer a 
self-service firmware upgrade. The RP would never know.


Perhaps this just comes down to vendor reputation, requiring RP's to 
decide by way of public opinion as to whether a particular vendor's 
technologies practices are reputable?

An alternative would be to prohibit any alteration to software/firmware on 
the portable authenticator without rev'ing the AAGUID. This then increases 
the cost of certification. I am not proposing a solution at the moment - 
just illustrating the issue and soliciting ideas.



From:   Ackermann Yuriy <ackermann.yuriy@gmail.com>
To:     Shane B Weeden <sweeden@au1.ibm.com>
Cc:     Akshay Kumar <Akshay.Kumar@microsoft.com>, 
"public-webauthn@w3.org" <public-webauthn@w3.org>
Date:   21/02/2019 10:42 am
Subject:        Re: WebAuthn and dealing with authenticator firmware 
updates



FIDO certified authenticators are not allowed to change FIDO core without 
recertification, either through the delta or full. So attestation does not 
loose it value.

If you really need highly secure authenticators, you can look towards 
FIPS140-2 certified ones

On Wed, 20 Feb 2019 at 16:21, Shane B Weeden <sweeden@au1.ibm.com> wrote:
The reality is different. Some vendors do upgrade. Some even allow you to 
do it yourself. Others do new manufacturing runs of the same model with 
different firmware versions although it is not clear what internal rules 
apply to what may be updated in a firmware version. 

The lack of consistency or ability to detect this makes it challenging for 
an RP to always believe in the value of attestation given that even some 
certified authenticator work this way. 

Sent from my iPhone

On 21 Feb 2019, at 10:07 am, Akshay Kumar <Akshay.Kumar@microsoft.com> 
wrote:

My assumption right now is external authenticators don’t upgrade. 
Upgrading the firmware needs to be thought through in terms of how 
securely one can upgrade. Also due to different form factors, mechanisms 
will be different. RP keeping a list of firmwares, which one is good and 
which one is not, is messy. And that list needs to be updated regularly by 
all the RPs. Which is another nightmare. 
 
From: Shane B Weeden <sweeden@au1.ibm.com> 
Sent: Wednesday, February 20, 2019 10:43 AM
To: public-webauthn@w3.org
Subject: WebAuthn and dealing with authenticator firmware updates
 
Per posting at:
https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-dev/vNs52dde7oY



I'm considering opening a WebAuthn issue for this topic to see if there is 
a POV amongst webauthn authors on dealing with authenticator firmware 
version updates. This note is simply to solicit any comments on the list 
before I do that.

Thanks,
Shane...



-- 
Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand