-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improved version of extension for Transaction Confirmation #2020
base: main
Are you sure you want to change the base?
Conversation
To be decided: should we change the extension name back to txAuthSimple? |
Close #2022 |
@christiaanbrand or @rlin1 can you join a WebAuthn WG call in March to discuss this? |
We would love to see this extension added to L3 and get browser/OS support. It is fundamentally relevant - even crucial - for any PSD2 regulated bank and other financial institutions. |
I plan to join the call on March 6th. |
I want to vouch for this for the reason already mentioned - without the ability to send transaction data to an authenticator in a way it can display them to the user (what you see is what you sign), achieving compliance in banking will be difficult for any FIDO2-related efforts. Standards such as Secure Payment Confirmation help a bit, but having the extension available would be much appreciated. |
Most important stuff has already been mentioned by @rlin1, @FlxMgdnz and @petrdvorak. Thank you! |
Maybe one more "storytelling comment" on this... When we started working on our FIDO2 HW token about two years ago, I read through the FIDO2 documents and thought: "This is great. We can send a challenge to an authenticator, and it will sign it." Then we started implementing things and found out that From the specification, I understand the
So, practically, it is something like this (non-minified, intentionally randomly found a bank with a long name, and used long challenge): {
"type": "webauthn.get",
"challenge": "cb48493c-a0c7-4a9d-9aed-a172724d4357&A1*A100CZK*ICZ2730300000001165254011*D20180425",
"origin": "moldindcondbank.md",
"topOrigin": "moldindcondbank.md",
"boolean": false
} Is this so horrible in terms of size? I mean... the SHA256 hash almost makes the payload longer. ;-) |
Any thoughts on this @andrewkozlik? |
Maybe one more comment from my side after extensive reading on this subject (apologies, but I am fascinated that a challenge-response protocol does not allow sending the challenge to the authenticator in plain form, or at least augment it with custom data). From what I understood, one of the reasons why web browser vendors did not implement I still think the best way to do this is not to destroy the challenge object by hashing it, but having an extension that works the best effort is enough. |
I agree that it would be a good first step to simply hand over tx data to authenticators and enable scenarios where dedicated hardware authenticators with display capabilities can be used. Ultimately, we should aim for platform support, as this will have a much bigger impact. From what I remember, there were concerns about tx data formatting and encoding, which need to be handled in secure context where you'd want as little of such complexity as possible. So the challenge is to define a format that is comprehensive enough for a user to understand what they are signing off, but simple enough for the platform providers' implementation teams to follow. |
Consider using a short name for the extension "conf" - instead of "confirmation". |
... configuration... conference... You might be overthinking it, keep the name descriptive. 😊 Edit: strlen('txAuthSimple')
12
strlen('confirmation')
12 |
Is introducing the confirmation length limit (1024 bytes?) helpful or harmful? What do you think? |
likely helpful. Potentially even shorter... |
Characters or bytes? Practically 1024 is more than sufficient, probably you will need to stick with very short and clear text informations, probably of less than 100 or 200 characters. So setting a max length limit of 1024 is surely not harmful for all usecases I can imagine and sets some technical restrictions. It can potentially be even shorter, but then we start to discuss when it starts to hurt the one or other. |
@mage28 We are looking at this from the connected authenticator perspective, so bytes are a bit better measure of the data transfer limit. For our use case, the typical message will be much shorter. Even rich transaction details are shorter, i.e.:
(160 characters) Note: PSD3 might change the scope of dynamic linking, so that the authentication code is linked to an amount, currency, destination account, and source account, at least. |
256 or 512 or 1024 bytes (not chars) including the zero terminator char, please. That is 255 or 511 or 1023 printable bytes. This will make the implementation so much easier for constricted embedded environments. |
@prusnak Reading through the conversation, this will primarily be about platform authenticators. Also, regarding the "confirmation" naming semantics, I read it as "it is the text the user can see in Windows UI alongside the standard confirmation window"). As a result, the JavaScript code will likely work by just providing a text... I would suggest keeping this USVString ("characters") and trimming the limit to 256 characters (which is plenty, as my example above suggests). UTF-8 encoding will result in at most 1024 bytes and will fit the zero terminating byte, or will fill the limit (CTAP protocol should hopefully take care of working with the data as bytes). |
To continue our efforts to implement WYSIWYS in the connected authenticator: We found that besides not having We were a bit desperate, as we really needed to get the data to the connected authenticator device so that the user could confirm it... and we managed to hack it. By only supporting non-discoverable credentials, we get the list of Introducing "WebAuthn2: This time, we will get it right.", starring Steven Segal. The signable challenge is in Verifiable Credentials format so that it is signed by the relying party, and the browser (or connected authenticator) can display it, as it is a standard format. Then, signing the challenge in the authenticator (platform or cross-platform) results in a Verifiable Presentation. Is there any effort alongside this outline? |
index.bs
Outdated
:: 1. use a dialog to the user that makes the user aware of the confirmation to be provided (as opposed to doing a simple sign in). | ||
1. display the confirmation prompt to the user. The client SHOULD | ||
indicate that the confirmation prompt originates from a specific relying party | ||
(as opposed to the platform itself). | ||
|
||
1. use the {{CollectedClientConfirmationData}} structure containing the confirmation prompt instead of using the {{CollectedClientData}} structure. | ||
|
||
1. pass-through the extension to the authenticator (see "client extension output" below) | ||
1. pass-through the "authenticator extension output" to the caller as part of the assertion |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: sentences should start with capital letters.
:: [=authentication extension|Authentication=] | ||
|
||
: Client extension input | ||
:: A single USVString confirmationPrompt. This string might contain the following formatting tags: <code><b></b></code> to mark the text inbetween as bold and <code><br /></code> to force a line break. Support of these formatting tags is "best effort". Implementations not supporting it SHALL NOT display the tags in "verbatim". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this needs to get trimmed down to just confirmation
:
:: A single USVString confirmationPrompt. This string might contain the following formatting tags: <code><b></b></code> to mark the text inbetween as bold and <code><br /></code> to force a line break. Support of these formatting tags is "best effort". Implementations not supporting it SHALL NOT display the tags in "verbatim". | |
:: A single USVString confirmation. This string might contain the following formatting tags: <code><b></b></code> to mark the text inbetween as bold and <code><br /></code> to force a line break. Support of these formatting tags is "best effort". Implementations not supporting it SHALL NOT display the tags in "verbatim". |
index.bs
Outdated
|
||
1. Verify that the `confirmation` key exists in the [=authData/extensions=] in |authData|. | ||
1. Verify that the `confirmation` value in the [=authData/extensions=] in |authData| equals the confirmation prompt that is expected (i.e., that was used when requesting the `confirmation` extension). | ||
1. If processing a response without the `confirmation` extension is acceptable by policy: Fall back to <code>|credential|.{{PublicKeyCredential/response}}.{{AuthenticatorResponse/clientDataJSON}}</code> entry if authenticator extension output is absent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy-pasting offline chat with @rlin1
How does the extension processing work when
uv
ispreferred
orrequired
. Does the authenticator/client need to show two prompts?
It is up to the relying party to handle the different user verification options appropriately. This includes appropriate settings for userVerification and appropriate processing of UV and UP. This confirmation extension doesn’t change the way user verification is handled by the client platform / authenticator. Have added a note regarding this.
If the authenticator does not support displaying the confirmation prompt but supports signing the confirmation, does the browser/OS take over this responsibility? Do we need corresponding changes in CTAP to let providers indicate to the browser/OS whether this extension is fully/partially supported.
In that case the authenticator doesn’t support the confirmation extension. The client platform will add the confirmation details to the collectedClientData structure so that any authenticator would just sign over it- The relying arty can detect that by not finding the confirmation extension in the assertion, but only seeing the confirmation details in the collectedClientData.
“If processing a response without the
confirmation
extension is acceptable by policy” – Not sure what this means. How does an RP specify that confirmation prompt is optional. And if the confirmation is optional then it does not provide auditable evidence that consent was visible to the user as you stated below.
It is up to the relying party to decide whether or not to accept an assertion without the confirmation extension (but with confirmation details in the collected clientData). This situation indicates that a privileged component (i.e. client platform) has shown the confirmation details, but it wasn’t done by the authenticator itself (which could be an attested component).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the approach of letting RPs decide whether to accept an assertion without confirmation makes sense but its not clearly called out in the PR. We should further clarify here that if authenticator does not support the confirmation extension, the confirmation string is still signed over.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be addressed by commit 9f2723f
supporting security keys or platform authenticators to show the transaction. Also supports the platform to show the transaction text.
If the client displayed the transaction text but not the authenticator (for example when using a security without display), the transaction text will be only included in the collectedClientData - similar to what SPC is doing.
If the authenticator showed the transaction text, it will also be included in the extension that was signed by the authenticator (known and potentially attested entity showed the transaction text as opposed to a unknown client).
Preview | Diff