0

I am implementing a web service to support U2F. I need users to be able to register more than one token to their account.

How should the authentication request message look when we have more than 1 key handle? Currently working with the chrome extension and my working authentication request looks like 

{version: "U2F_V2", challenge: "7kozMX4EGFKYqmFOjLPD7QCHyJc7n3Pt0DHigNGf2aU",…}
appId: "http://localhost:8080"
challenge: "7kozMX4EGFKYqmFOjLPD7QCHyJc7n3Pt0DHigNGf2aU"
keyHandle: "nLfGtT8E7EKT5zo9t4zvVPK7qjJQoXqTDD_WHKh64X99LYARhRZc5hb-49AlQYNQcJhkk3ujHeaY5ti9rshrKQ"
version: "U2F_V2"
Jakuje
  • 5,229
  • 16
  • 31
YuvalJ
  • 23
  • 5
  • so what is the problem? You just need to store more public keys for single user and verify the signature with both of them, isn't it? – Jakuje Jan 30 '16 at 17:27
  • @jakujw The problem is how to send more than one key handle to user in the authentication reques – YuvalJ Jan 31 '16 at 19:01

2 Answers2

2

The JSON for an authentication request containing multiple authenticator (token) key handles looks like this. (challenge and keyHandle values were shortened)

{
  "type": "u2f_sign_request",
  "timeoutSeconds": 30,
  "requestId": 123,
  "signRequests": [
    {
      "appId": "http://localhost:8080",
      "challenge": "7Wr...I6w",
      "keyHandle": "8BB...7YQ",
      "version": "U2F_V2"
    },
    {
      "appId": "http://localhost:8080",
      "challenge": "9Qb...HOE",
      "keyHandle": "5i8...CEJ",
      "version": "U2F_V2"
    }
  ]
}

NOTE: This is for the currently published public U2F Javascript API. https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html

dictionary Request {
    // The type of request, either "u2f_register_request"
    // or "u2f_sign_request".
    DOMString          type;

    // A list of SignRequest dictionaries, one for each
    // token already registered with this RP.
    SignRequest[]      signRequests;

    // A list of RegisterRequest dictionaries, one for each
    // protocol version that the RP is willing to register.
    RegisterRequest[]? registerRequests;

    // A timeout for the FIDO Client's processing, in seconds.
    int?               timeoutSeconds;

    // An integer identifying this request from concurrent requests.
    optional int?      requestId;
};

dictionary SignRequest {
    // Version of the protocol that the to-be-registered U2F
    // token must speak. E.g. "U2F_V2"
    DOMString version;

    // The websafe-base64-encoded challenge.
    DOMString challenge;

    // The registered keyHandle to use for signing, as
    // returned by the U2F token during registration.
    DOMString keyHandle;

    // The application id that the RP would like to assert.
    DOMString appId;
};

dictionary RegisterRequest {
    // Version of the protocol that the to-be-registered U2F
    // token must speak. E.g. "U2F_V2"
    DOMString version;

    // The websafe-base64-encoded challenge.
    DOMString challenge;

    // The application id that the RP would like to assert.
    DOMString appId;
};
mirko
  • 36
  • 2
0

Checking the documentation, during authentication (U2F_AUTHENTICATE) there is message type 0x07 ("check-only"). This message does not require user presence and sign, but just verifies that the handle was generated by given token.

Only then the another message type 0x03 ("enforce-user-presence-and-sign") should continue.

The server just tries the tokens associated with the user and client choose if the connected one is available, as far as I understand it.

Jakuje
  • 5,229
  • 16
  • 31