With the release of the YubiKey 5Ci device with firmware 5.2.3, Yubico offers support for the latest FIDO2/WebAuthn functionality, offering advancements in FIDO credentials management and protection. These enhancements allow users to review FIDO2 resident credentials on their YubiKey and delete individual credentials without requiring a full reset, as well as allowing FIDO2 services to prevent unauthorized users from accessing the corresponding credentials on a user’s YubiKey.
Further, the enhancements to the FIDO2/WebAuthn spec include extending the encryption algorithms available for securing FIDO2 credentials, as well as services to support advanced platform authentication to YubiKeys, allowing for a more secure implementation of the FIDO2/WebAuthn protocols.
With FIDO2, credentials can reside on the authenticator, i.e., the YubiKey. Resident credentials allow for passwordless and usernameless experience where the user just needs to enter in their user verification PIN to authenticate. Given this capability, the platform needs to be able to read, display and act upon the resident credentials in a secure manner.
Credential Management allows the platform to display the credentials that reside on the security key so that the user can act upon them. The platform can show the credential Relying Party (RP) information, the credential descriptor, and the number of resident credentials on the authenticator. Credential management does not have the capability to display non-resident keys (including U2F based credentials) as that information is not stored on the authenticator in any fashion.
The Client to Authenticator Protocol (CTAP) defines the information that the platform can retrieve from the authenticator. The platform can retrieve the following information from the authenticator.
- Number of existing resident credentials present on the authenticator
- Number of maximum possible remaining resident credentials which can be created on the authenticator
- Relying Party Information
- RPID SHA-256 hash
- Total number of RPs present on the authenticator
- Total number of credentials present on the authenticator for the RP in question
- Public key of the credential
- Credential protection policy
Browser support for Credential Management is coming, with support for listing and deleting FIDO2 credentials. However, this browser-based FIDO2 credential management will not work on Windows 10 build 1903. The YubiKey Manager CLI tool, version 1.1.2 and above, will work to list and delete FIDO 2 resident credentials when run as an administrator.
To counterbalance the function to enumerate FIDO2 resident credentials, the Credential Protection extension was introduced to improve privacy.
Credentials stored on an FIDO2 authenticator may be read to get basic information about them. Using the ‘GetInfo’ command, the authenticator will list the relying parties that have a credential stored on that authenticator.
One of the benefits of platforms being able to read the list of resident credentials is to provide a better user experience. The platform can find the appropriate credential without the user being involved. This feature also enables “Silent Auth” scenarios in a more secure manner.
However, If an unauthorized user is able to get a hold of the FIDO2 authenticator, they could use the same command to see what relying parties that the authenticator is registered with. This could compromise privacy for the user, as it provides a list of sites the user accesses. To satisfy both privacy and ease-of-use, the Credential Protection extension was added. With the Credential Protection extension set, the associated FIDO2 credential can be flagged to not be exposed to any one without user verification - it can neither be read nor used for authentication with the user asserting their identity. The Credential Protect extension is set by the relying party at credential registration. The extension has three options:
The default state of the credential if the extension is not specified. As the name suggests, the user verification is not required for the authenticatorGetInfo command to return the list of credentials that reside on the authenticator.
In this configuration, the authenticator will only display the credentials associated with the credential ID that is provided by the platform without the user performing a verification step. If the user does do a verification step, all resident credentials would then be discoverable.
- User verification required
In this configuration, no resident credential information will be returned unless it is preceded by user verification.
The credential protection policy is set by an RP at registration; the policy is applied to the created resident key and not the authenticator as a whole. Further, the user verification extension must be set to required for the credential protection to function correctly - failure to do so may result in the credential never being exposed for even valid authentication events. The authenticator does need to be able to interpret the credential protection request to properly create the credential, limiting support to the new YubiKey 5Ci and other YubiKeys with the 5.2.3 firmware.
To support the new Credential Management and Protection features, the FIDO2/WebAuthn GetInfo command has been expanded. The GetInfo command can return information about the FIDO2 authenticator, including:
- Support for the new Credential Management and Protection extension
- The max-credID length and max creds supported by the Authenticator
- Encryption Algorithms supported by the authenticator
- The supported algorithms are provided as a list to the WebAuthn client.
- Transports supported by authenticator
- Previously, transports were only available in the Attestation data, requiring a registration event
- Support for the HMAC secret extension
As in the previous implementation, the GetInfo command returns information to the FIDO2 / WebAuthn client, such as a browser or platform, and not the relying party.
Additional Encryption Algorithms
To ensure a high level of security for the FIDO2 authentication credentials, the supported encryption algorithms have been updated. Support for the Ed25519 curve has been added, while support for RSA keys has been removed.
HMAC Secret Extension (hmac-secret)
For Platform Authentication, support has been added for the HMAC Secret extension. This CTAP defined extension is used by the platform to retrieve a symmetric secret from the authenticator when it needs to encrypt or decrypt data using said symmetric secret. This can be used in off-line authentication scenarios when the platform does not have access to a FIDO server to validate the public key of the credential.
The symmetric secrets are scoped to a credential and not the authenticator. The HMAC secrets extension is enabled on a create credential request basis by setting the appropriate flag. The authenticator and platform only have a part of the complete secret each to help prevent offline attacks. This extension can be used to maintain different secrets on different systems. The protocol allows for two HMAC secrets which enables rolling-over symmetric secrets. This supports all of the platform authentication scenarios - both user-verified and silent authentication.