3

I understand how FIDO works with yubikey: Yubikey device has a symmetric key and it uses appId, nonce and symmetric key to generate key pair for a website. And the device gives back public key and keyHandle (which can used to generate private key) to the RP.

But U2F works on chrome in Mac with Touchbar without yubikey. Does it mean MAC OS implemented U2F protocol? (But U2F doesn't work on safari!!!)

Who is generating and verifying the keyhandle in case of MAC?

Jack
  • 63
  • 5

1 Answers1

4

Does it mean MAC OS implemented U2F protocol?

No, it means that Chrome implements U2F by using properties of the TouchBar. From Issue 678128: Use TouchBar/TouchID as a secure element for implementing a U2F security key:

... The new MacBook Pros with TouchID have a secure enclave for storing the fingerprint data. We may be able to use this element for implementing an on-computer second-factor security key. ...

In other words: the support is implemented in the browser by using capabilities offered by the OS. It is not implemented by the OS itself.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks Steffen. During auth when server returns key handle, the yubikey verifies HMAC and then generates private key and uses that private key to generate signature. – Jack Sep 28 '19 at 13:53
  • From the link above i'm not clear if the secret key is stored in secure enclave or in chrome profile. Can you please clarify? if it is stored in secure enclave, then chrome will have to make multiple calls : to validate MAC and then to generate private key. – Jack Sep 28 '19 at 14:01
  • 1
    @Jack: I don't know the implementation details. But, this would actually be a new question anyway which should not be asked in a comment. From the short initial description of the requirements *"Private key is generated in the secure enclave, not in macOS"* I would assume though that the private key is kept in the secure enclave. Because the point of creating the key there is to keep it there. – Steffen Ullrich Sep 28 '19 at 14:30