Search code examples
google-chromechromiumfido-u2fwebauthnfido

Incomplete Implementation of CTAP2 (FIDO2) protocol in Chrome?


I've been investigating the implementation of CTAP2 protocol with Google Chrome (protocol between Fido Authenticator and Fido Client (e.g. Chrome)), which should be supported in Chrome since version 69.

So I dumped the chrome request to the authenticator in two cases:

1. U2F (CTAP1) with yubico demo website.

Here everything goes as expected and chrome follows the CTAP1 protocol.

2. FIDO2/Webauthn (CTAP2) with webauthn.org

And the browser has a strange behaviour:

  • It starts by following the CTAP2 protocol by sending a AuthenticatorGetInfoRequest
  • The Authenticator replies with AuthenticatorGetInfoResponse
  • But then Chrome switches to the CTAP1 protocol by sending a Registration Request Message (U2F_REGISTER)

Is it a problem with Chrome implementation: CTAP2 is not enabled entirely yet (it seems to be implemented in Chromium sources)?

Or is the problem coming from the authenticator: sending a response that makes Chrome switch to CTAP1?

Or something else entirely?


Solution

  • In AuthenticatorGetInfoRequest, the authenticator must respond with a string list of the supported versions among "U2F_V2" and "FIDO_2_0". Note also in case of NFC or CCID, a "FIDO_2_0" (CTAP2) only authenticator shall anwser directly "FIDO_2_0" on the SELECT command. I don't know about HID and BLE.

    So maybe your authenticator is listing "U2F_V2" in the protocol versions list in AuthenticatorGetInfoRequest.

    I also imagine the Chrome code base about this was moving fast and can be partial or not strict. To my tests in early 2020, the Chrome CTAP capabilities seem now stable and compliant.