W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2019

AW: AW: WebAuthn and dealing with authenticator firmware updates

From: <rlindemann@noknok.com>
Date: Thu, 21 Feb 2019 09:07:47 +0100
To: "'Shane B Weeden'" <sweeden@au1.ibm.com>
Cc: "'Ackermann Yuriy'" <ackermann.yuriy@gmail.com>, "'Akshay Kumar'" <Akshay.Kumar@microsoft.com>, <public-webauthn@w3.org>
Message-ID: <025601d4c9bc$88a29ce0$99e7d6a0$@noknok.com>
It could easily be added (e.g. via an extension in the Registration/Signature assertion providing the authenticatorVersion) and it would address the concerns you mentioned (i.e. allow RPs to understand whether unaddressed security issues are known for the specific authenticatorVersion).


Von: Shane B Weeden <sweeden@au1.ibm.com> 
Gesendet: Donnerstag, 21. Februar 2019 09:03
An: rlindemann@noknok.com
Cc: Ackermann Yuriy <ackermann.yuriy@gmail.com>; Akshay Kumar <Akshay.Kumar@microsoft.com>; public-webauthn@w3.org
Betreff: Re: AW: WebAuthn and dealing with authenticator firmware updates


Do you think this concept should apply to WebAuthn and FIDO2?

Sent from my iPhone

On 21 Feb 2019, at 5:53 pm, rlindemann@noknok.com <mailto:rlindemann@noknok.com>  wrote:

In FIDO UAF, we have the concept of an Authentication Firmware Version that is attested by the Authenticator (i.e. part of the signed message).

See “authenticatorVersion” in the Metadata Statement. It represents the earliest firmware version that matches the Metadata Statement. 


Kind regards,



Von: Shane B Weeden <sweeden@au1.ibm.com <mailto:sweeden@au1.ibm.com> > 
Gesendet: Donnerstag, 21. Februar 2019 03:48
An: Ackermann Yuriy <ackermann.yuriy@gmail.com <mailto:ackermann.yuriy@gmail.com> >
Cc: Akshay Kumar <Akshay.Kumar@microsoft.com <mailto:Akshay.Kumar@microsoft.com> >; public-webauthn@w3.org <mailto:public-webauthn@w3.org> 
Betreff: Re: WebAuthn and dealing with authenticator firmware updates


I understand that's a stated certification requirement. My personal observation is that it is also a non-enforceable FIDO "rule" that has a lot of gray areas. For example during certification there is no measurement or record of firmware version, nor is it part of the metadata spec, nor can an RP discover it via the protocol. Are there guidelines on what may actually be updated without re-certification?

For example, let's say I have a UV capable portable authenticator that does fingerprint for UV, requiring it be registered by the owner before the FIDO registration ceremony. A flaw is discovered that allows you to bypass the local UV fingerprint matching software with ... let's say an artificial finger. The vendor offers updated firmware to counter this flaw. Nothing in core FIDO has changed - for all practical purposes the authenticator still behaves the same against all conformance testing interfaces the same way. This is still potentially very useful information to an RP.

Perhaps a good corporate citizen authenticator vendor does a product recall, or offers a free/discounted new model (new AAGUID), however at the moment it's also perfectly valid for the authenticator vendor to offer a self-service firmware upgrade. The RP would never know.

Perhaps this just comes down to vendor reputation, requiring RP's to decide by way of public opinion as to whether a particular vendor's technologies practices are reputable?

An alternative would be to prohibit any alteration to software/firmware on the portable authenticator without rev'ing the AAGUID. This then increases the cost of certification. I am not proposing a solution at the moment - just illustrating the issue and soliciting ideas.

From:        Ackermann Yuriy <ackermann.yuriy@gmail.com <mailto:ackermann.yuriy@gmail.com> >
To:        Shane B Weeden <sweeden@au1.ibm.com <mailto:sweeden@au1.ibm.com> >
Cc:        Akshay Kumar <Akshay.Kumar@microsoft.com <mailto:Akshay.Kumar@microsoft.com> >, "public-webauthn@w3.org <mailto:public-webauthn@w3.org> " <public-webauthn@w3.org <mailto:public-webauthn@w3.org> >
Date:        21/02/2019 10:42 am
Subject:        Re: WebAuthn and dealing with authenticator firmware updates


FIDO certified authenticators are not allowed to change FIDO core without recertification, either through the delta or full. So attestation does not loose it value.

If you really need highly secure authenticators, you can look towards FIPS140-2 certified ones

On Wed, 20 Feb 2019 at 16:21, Shane B Weeden < <mailto:sweeden@au1.ibm.com> sweeden@au1.ibm.com> wrote:
The reality is different. Some vendors do upgrade. Some even allow you to do it yourself. Others do new manufacturing runs of the same model with different firmware versions although it is not clear what internal rules apply to what may be updated in a firmware version. 

The lack of consistency or ability to detect this makes it challenging for an RP to always believe in the value of attestation given that even some certified authenticator work this way. 

Sent from my iPhone

On 21 Feb 2019, at 10:07 am, Akshay Kumar < <mailto:Akshay.Kumar@microsoft.com> Akshay.Kumar@microsoft.com> wrote:

My assumption right now is external authenticators don’t upgrade. Upgrading the firmware needs to be thought through in terms of how securely one can upgrade. Also due to different form factors, mechanisms will be different. RP keeping a list of firmwares, which one is good and which one is not, is messy. And that list needs to be updated regularly by all the RPs. Which is another nightmare. 


From: Shane B Weeden < <mailto:sweeden@au1.ibm.com> sweeden@au1.ibm.com> 
Sent: Wednesday, February 20, 2019 10:43 AM
To:  <mailto:public-webauthn@w3.org> public-webauthn@w3.org
Subject: WebAuthn and dealing with authenticator firmware updates


Per posting at:
 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fforum%2F%23!topic%2Ffido-dev%2FvNs52dde7oY&data=02%7C01%7CAkshay.Kumar%40microsoft.com%7C56552f6a07c046848a0f08d69765c29c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636862860662164882&sdata=Iq1Z%2B8VLqJ%2FutGNkfERKmZwB8VayGuUlQ3pKVYn%2BN%2Fg%3D&reserved=0> https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-dev/vNs52dde7oY

I'm considering opening a WebAuthn issue for this topic to see if there is a POV amongst webauthn authors on dealing with authenticator firmware version updates. This note is simply to solicit any comments on the list before I do that.


Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github:  <https://github.com/herrjemand> @herrjemand
twitter:  <https://twitter.com/herrjemand> @herrjemand
medium:  <https://medium.com/@herrjemand> @herrjemand

Received on Thursday, 21 February 2019 08:08:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC