webauthnfidoauthenticator

How to make a browsers recognize my FIDO2 authenticator?


Hi I'm writing my own FIDO2 authenticator implementation. The firmware runs on a SAM E51 Curiosity Nano. I use tinyusb for the communication with the client (raw usb) and can successfully create new credentials and get/verify assertions using the libfido2 suite.

When I try to test my authenticator with one of the WebAuthn test websites (webauthn.io, webauthn.me, ...) using Firefox, the browser seems to ignore the device/ doesn't recognize it.

Do I need to whitelist the device in some way or is there a specific usb configuration required?

I don't really know what to look for.

dmesg output

own

new full-speed USB device number 29 using xhci_hcd
[15568.051250] usb 1-1: New USB device found, idVendor=cafe, idProduct=4004, bcdDevice= 1.00
[15568.051265] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[15568.051272] usb 1-1: Product: CandyStick FIDO
[15568.051278] usb 1-1: Manufacturer: SugarYourCoffee
[15568.051282] usb 1-1: SerialNumber: cafebabe
[15568.054804] hid-generic 0003:CAFE:4004.0027: hiddev1,hidraw3: USB HID v1.11 Device [SugarYourCoffee CandyStick FIDO] on usb-0000:00:14.0-1/input0

YubiKey

new full-speed USB device number 30 using xhci_hcd
[16832.270596] usb 1-1: New USB device found, idVendor=1050, idProduct=0407, bcdDevice= 5.12
[16832.270611] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[16832.270618] usb 1-1: Product: YubiKey OTP+FIDO+CCID
[16832.270624] usb 1-1: Manufacturer: Yubico
[16832.275477] input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:1050:0407.0028/input/input38
[16832.333245] hid-generic 0003:1050:0407.0028: input,hidraw3: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-1/input0
[16832.334542] hid-generic 0003:1050:0407.0029: hiddev1,hidraw4: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-1/input1

The only difference I see is that the YubiKey can also act as a input device.

I couldn't find anything related to my problem online.

GITHUB

Update 06.12.2022

So like I mentioned in a comment below, systems detect possible HID authenticators through the F1D0 usage page.

One interesting thing is that I'm able to create new credentials for webauthn.io and webauthn.me with Chrome, but not with Firefox. Assertions don't work with either browser (but this seems like a different issue).

CBOR errors, like the wrong order of keys, seem to trigger a warning when using Chrome (something like: old or unsupported authenticator).

I'm really curious why Chrome is able to detect my authenticator and Firefox is not. Unfortunately there is no clear documentation on how both browsers enumerate authenticators. I've started reading through a fork of the Firefox source code, but wasn't able to pinpoint the code that checks for F1D0 or something similar.


Solution

  • I'm not sure that Firefox supports CTAP2 authenticators on non-Windows platforms. You may need to implement U2F (i.e. CTAP1) for Firefox support.