• State Suggested Answer
  • Replies replies
    9
  • Answers answers
    3
  • Subscribers subscribers
    14
  • Views views
    258
  • Users 0 members are here
Related
Options

FIDO2 PIN

mguldner
 

We are doing our first steps with AA 6.4 - currently we are testing GroupWise and Filr with AA. The setup seems to work fine, authentication to GroupWise Client, GroupWise Web and Filr Web works with FIDO2, TOTP and Smartphone methods as second factor.

But now a new problem has arisen with the FIDO2 method. There is a fundamental difference if a Yubikey 5 is enrolled under Linux or Windows. I did all testing with a stick enrolled with Linux - which was fine. But if a stick is enrolled with Windows (and Firefox, the browser does not seem to make a difference) it forces the user to set a FIDO2 PIN which the user form now on needs to enter on every use. This is effectively a third factor - LDAP Passwort, PIN, touching the stick - we can't explain this to our users. 

I did not find a way to change this. Interestingly the stick enrolled with Windows does not ask for a PIN when used under Linux; and the stick enrolled with Linux does not ask for a PIN on Windows. (Unfortunately most users use Windows and they will enroll their sticks with Windows.) So the PIN is not needed even when set. It does not seem to have any cryptographic function. But if available Windows asks for it. And for a new enrollment Windows forces to set it. How can we change this?

Thanks for any advice.

Top Replies

  • 0  

    Hello,

    This seems to be related to this previous Idea:  Allow FIDO2 Method to have Configurable Options 

    If that is the case then Product Management should comment on the idea.

    Or perhaps you can add it too to the Ideas Portal.

    Thanks.

    Regards,

    Luciano Testa

  • 0   in reply to Luciano Testa

    Yes, configurable settings would be a good idea, thanks for pointing to the Idea.

    But still I am not sure, if this would solve the problem. Does Windows respect the UserVerificationRequirement=discouraged ?

    Thanks,

    Mirko

  • Suggested Answer

    0   in reply to mguldner

    Hello,

    To my knowledge, Windows does prefer the UserVerificationRequirement=required, while in Android this is not required at all. This opinion based on an existing defect we are investigating.

    In this defect our customers pointed out that Android should ask for the PIN the same as Windows does.

    I suppose some Linux systems will not enforce this requirement.

    My question to you now is, why to avoid the PIN if the Yubikey activation is just a proof of presence and not verification. I can be wrong if the device, for example, checks for fingerprints.

    Thanks.

    Regards,

    Luciano Testa

  • 0   in reply to Luciano Testa

    I am not sure, if I understand your question correctly... we want to avoid the PIN because it is additional inconvenience for our users. We think a proof of presence is sufficient to have 2 factors (something they know (password) and something they have (yubikey).

    And everybody is free to set a PIN if he wants. And I agree, if a PIN exists, it should be required. The only thing that bothers me is that Windows forces a PIN to be set on a brand new Yubikey.

  • 0   in reply to mguldner

    I think this whole behavior is an absolute mess.  I've been struggling with the same for years.  I like using Yuibkeys myself.  Under Mac, like with Linux, when you enroll a FIDO2 hardware token you are NOT prompted  for or force to set a PIN.  You simply touch the device and it is enrolled.  But under Windows this was not the case.  However, now with 6.4.1.1 you can control this.  There are two poorly documented settings now in AA under the FIDO2 method: "Resident Key Requirement" and "User Verification (pin)".  They each have 3 settings:

    Preferred (Default)

    Required

    Discouraged

    I've read the docs a few times and I don't understand fully what these settings do nor do I understand fully what the different options mean/do.  The AA docs are generally abysmal and this is no different!

    So I tested various combinations of settings.  To get what you want, basically just a presence "touch" setup, you have to set both of these to Discouraged.  Once I did that I could enroll a key/stick with no PIN under Win10 and it succeeded.  If I left the defaults, a PIN was required under Windows. I did try enrolling a key with a PIN under windows (default AA settings) and it failed for me.  As far as I can tell, Windows 10 does not support "Resident Key Requirement" (maybe?).  No combination worked for me if that wasn't set to "Discouraged".   I did not test under Win11 or with other browsers.

    Can someone provide a more complete explanation of these settings and where and why we'd use each one?  I'd like to understand this better.

    Matt

  • Suggested Answer

    0   in reply to Matt Weisberg

    Hello Matt,

    Please open a service request with Technical Support for this so we can investigate further.

    About the documentation, you can also add your comments to the sections of the document that needs improvements, opening thus an internal request to the Documentation Team that they have to review and address.

    Thanks.

    Regards,

    Luciano Testa

  • 0   in reply to Luciano Testa
    Luciano Testa said:
    Please open a service request with Technical Support for this so we can investigate further.

    I've had a case open on this since April 4, 2022 (nearly 1 year).  Case # 02224145

    Last I heard, support was trying to figure out how to buy some Yubikeys so they could test it themselves.  Maybe the new owners will agree to buy them a few so they can support the product?

    Matt

  • Suggested Answer

    0   in reply to Matt Weisberg

    I checked that ticket and yes, they are in the process of acquiring the required hardware in order to test. I don't have any new information to share on that, apologies.

    Thanks.

    Regards,

    Luciano Testa

  • 0   in reply to Luciano Testa

    I do see some of the docs were revised and I added my comments.  The docs show that Resident Key is supported by Windows (doesn't say which version) and all common browsers.  But from my experience with Windows 10, this does not work.  You cannot enroll a Yubikey with Resident Key Preferred or Required.  You get "FAILED" every time.  It has to be DISCOURAGED to work with AA.

    I still would like an explanation of what Resident Key means exactly and in what use cases would you want to require it?  What benefit does it add?  The User PIN is pretty self explanatory (but I'm like the original poster, I just want to use the token's physical touch requirement as a second factor, I don't want to add a PIN/3rd factor to the mix).  FWIW, Microsoft requires you to set a PIN to use a Yubikey with M365, so it's not without precedent.  But others do not (Google, Twitter, Facebook, etc.).

    Matt

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.